HEIST paper, ArsTechnica coverage, Twitter discussion
Reading through the paper, the core observation is: TCP congestion control can be (ab)used to infer size of a (cross-origin) resource. Roughly:
- Identify when response headers are received:
- Identify when the response body has finished loading
- XHR readyState (DONE), onload() callbacks, Resource Timing’s responseEnd.
Given both of the above, you can compute the time delta between when the headers were received and response end:
- If delta is small then headers and response fit into same congestion window
- If delta is large then with high probability the response exceeded current congestion window (took multiple RTTs)
If TCP connection is brand new, the above can effectively tell you if response is <14KB. An extended version of this for beyond IW10 is:
- Open a connection and fetch a resource of known size to “pad” the congestion window with known amount of data.
- Request resource you want to know the size of and observe if it comes back in one or multiple RTTs - same criteria as above.
Aside, but related, it’s possible to estimate RTT via javascript: if you know the RTT and have a model for what you expect the congestion window to be, you can use that observe if response took >1 RTT and arrive at same results with similar padding technique (knowledge of when response headers are received improves accuracy, but not necessary).
Armed with above, you can apply a compression oracle attack against the origin, ala Breach. That said, I’m dubious of the claims in the paper about how practical this actually is: tripping over a congestion window boundary doubles said congestion window and that ramps quickly and hence the query rate should be low... Am I missing something here?
Mitigations: all existing BREACH recommendations apply.
In terms of practical implications... /cc @annevk @slightlyoff @domenic
- XHR / Fetch expose reponseStart for cross-origin resources; RT requires TAO.
- Q: Anything we want or need to do here?
- There are many ways to infer responseEnd..
- Q: I’m not sure if and what can be practically done here?
Last but not least, scrubbing through RT spec it looks like we introduced a bug in 88bb585?diff=split#diff-eacf331f0ffc35d4b482f1d15a887d3bL543 ~implying that responseEnd is subject to TAO. It's not.. Unless @plehegar had something else in mind here?