You are here

HEIST attack on TLS/SSL

HEIST, TLS, SSL, compression

HEIST is a set of techniques to obtain length information of data in SSL/TLS connection by analyzing TCP windows [1]. The attack can be purely performed in JavaScript and therefore leverage compression attacks like BREACH [2] to a new level because man-in-the-middle is no longer a requirement to perform the attack. At the moment it is unclear how practical HEIST attacks are against users of HTTPS websites in productive environments.

HEIST does not only affect compressed websites but increases the attack surface of them. Response traffic compression is disabled in Airlock WAF by default. This increases the security of SSL/TLS websites protected by Airlock WAF.


Mappings providing access to sensitive data with activated compression are potentially affected by HEIST. From a security point of view we recommend to deactivate response compression for these Mappings.

For all Mappings with activated compression check whether access to the Mapping is restricted. Since HEIST affects only the secrecy (and not integrity) of a TLS connection the attack is not relevant for public accessible resources. If all of the following points apply HEIST potentially affects the corresponding Mapping:

  • There are roles defined in "Restricted to roles" in the Basic tab of the Mapping or the back-end application itself does provide a session/login/authentication mechanism and therefore provides access to sensitive data.
  • The application has to show sensitive data on the same page as user input is reflected.
  • The Mapping is used by browsers or clients that interpret JavaScript.

For applications where compression is mandatory the same mitigation as for the BREACH attack can be applied:

Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration