Beware! Any Website can be Hacked, even the Most Secure One

HEIST, it’s the name of attack technique unveiled by security researchers at KU Leuven. It’s given a definition also – HTTP encrypted information can be stolen through TCP-Windows.

Seems baffling?

Let’s try to figure out.

Recently, Mathy Vanhoef and Tom Van Goethem, PhD researchers in KU Leuven took a short briefing on this subject. They explained how they could able to track vulnerabilities of some secure websites.

I’m interested in quoting some of the main points from this briefing.

The idea of HEIST comes from the background of the number of attacks against SSL/TLS over the last few years. Without the existence of an adversary that’s capable of manipulating network traffic, it wasn’t able to figure out vulnerabilities of these SSL/TLS channels that were attacked. Here’s where HEIST came. It could able to exploit flaws in network protocols without sniffing to network traffic.

How it Works?

In HEIST, it’s possible to compromise an encrypted website using only a JavaScript file that’s hidden in a maliciously created ad. This can measure the size of the encrypted response and thus set up an attack its own. And, with another technique, it can able to pick sensitive information from encrypted data traffic including banking details.

Possible Ways to Avoid such a Situation

Tom Van Goethem also says, disabling third-party cookies in the browser is the only way to prevent attacks at least in the short term. And, it won’t be a heavy task. Most of the today’s browsers, it’ll be On by default. The internet browser used to access sensitive websites should be clean, lacking unwanted plugins or ad-ons. Other browsers can be set to receive cookies.


These type of studies have a great impact in indicating the vulnerabilities in network security. At least some internet browsing programs would become aware of these flaws, and some of them may bring security patches. Anyway, thanks to KU Leuven researchers for figuring out this vulnerability