Bug 1388005 (CVE-2016-7153) - CVE-2016-7153 HTTP/2: HEIST attack allows attackers to sniff TLS encrypted HTTP/2 traffic
Summary: CVE-2016-7153 HTTP/2: HEIST attack allows attackers to sniff TLS encrypted HT...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-7153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1364927
TreeView+ depends on / blocked
 
Reported: 2016-10-24 08:04 UTC by Dhiru Kholia
Modified: 2021-02-17 03:08 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-24 08:08:17 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhiru Kholia 2016-10-24 08:04:51 UTC 
HEIST enables an attacker to conduct BREACH attack against HTTP compression and CRIME attack against TLS compression without being in a man-in-the-middle position. HEIST uses a side-channel attack involving TCP-windows to leak the exact size of any cross-origin response, without having to observe traffic at the network level. Thus, HEIST enables compression-based attacks such as CRIME and BREACH to be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position.

HEIST stands for "HTTP Encrypted Information can be Stolen through TCP-windows".

External References:

https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows-wp.pdf
Comment 2 Dhiru Kholia 2016-10-24 08:08:17 UTC 
Mitigation:

Disable third-party cookies in the browser.

https://support.mozilla.org/en-US/kb/disable-third-party-cookies (Firefox)
https://support.google.com/chrome/answer/95647?hl=en (Google Chrome)
Note You need to log in before you can comment on or make changes to this bug.