Skip to main content

Security researchers find yet another leak in HTTPS, and it won’t be easy to patch

mexico voting breach hacking laptop passwords code
Image used with permission by copyright holder
A new attack has the potential to steal everything from email addresses to social security numbers — and security experts have found it running free in the wild. It works by manipulating the way HTTPS responses are delivered across the transmission control protocol (TCP), allowing nefarious actors to decrypt hidden information to extract personal data on targeted users.

The exploit is known as HEIST, which loosely stands for HTTP Encrypted Information can be Stolen Through TCP-Windows (as per Ars) and it’s especially dangerous because it’s capable and simple. When a web user encounters the malicious coding on a web page, it is able to query a number of pages, measuring the sizes of the data that is transmitted when the response comes in.

Although that data is protected by HTTPS, using older exploits, nefarious actors may be able to decrypt the data in those packets and thereby discover quite personal data about the individuals affected.

Fortunately the technique was devised by security researchers at the University of Leuven, Belgium, rather than by black-hats. That’s why we’re hearing about it before it’s been utilized for privacy invasions in the wild. The researchers who discovered the exploit, Van Goethem and Mathy Vanhoef, previously disclosed it to both Microsoft and Google, but proved its viability again yesterday by tacking on dangerous code to a New York Times advert.

The pair believe that in the right hands, the security flaw could affect many websites and by extension, many, many users.

Unfortunately, at this time a proper fix doesn’t really exist. End users can disable cookies, which just about makes it impossible for data it sends to be decrypted, but that would also kill the functionality on a lot of sites.

Considering HEIST is merely the means to an end and the exploits that allow the decryption of the HTTPS data have been around for years, this doesn’t seem like a security hole that is going to be patched any time soon. Security researchers aren’t hopeful, either.

Unfortunately this means we’re all left swinging in the wind with how to best protect ourselves. The only positive to it all is that since we need to stumble across malicious code to become vulnerable, sticking to reliable websites which are unlikely to host it is the best way to protect yourself, short from disabling cookies everywhere and walling yourself off from the online world.

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
This 240Hz gaming monitor from LG is on sale for just $200 at Amazon
The LG UltraGear 27-inch OLED gaming monitor displaying a space game.

When it comes to gaming monitors, LG’s UltraGear lineup reigns supreme as one of the best lineups on the market. These screens are engineered to squeeze every last amount of picture detail from the games you’re playing, resulting in some of the brightest and richest colors, best contrast levels, and exceptional motion clarity. While looking through Amazon deals, we came across a terrific promo on an UltraGear that we just had to write about.

Right now, you’ll be able to purchase the LG 27-inch UltraGear IPS Gaming Monitor for $200. At full price, this model normally sells for $300. If you’ve been looking for one of the best monitor deals of the week, you’ve come to the right place!

Read more
The Alienware Aurora R16, our favorite gaming PC, is $900 off
Alienware Aurora R16 sitting on desk

If you’re looking for the end-all-be-all of gaming PC deals, look no further than this extraordinary offer we found on one of the best desktop towers in the business, the Alienware Aurora R16. For a limited time only, you’ll be able to order this premium PC through Dell for $3,100. Usually, this exact configuration of the Aurora R16 costs $4,000, so you’ll be saving yourself about $900!

Why you should buy the Alienware Aurora R16
Building your own PC is one of the most satisfying experiences for a diehard gamer, but it can also be a pretty tedious process. That’s why high-quality pre-builds exist, and the Aurora R16 is one of the best options. In our best gaming desktop PCs roundup, we gave the R16 top honors for several reasons, with power and performance being two of its leading accolades.

Read more
Next-gen GPUs are coming ‘later this year’ — but which?
RX 7900 XTX slotted into a test bench.

What's going on with next-gen graphics cards? I've been asking myself that question for months now. Reports about Nvidia's RTX 50-series and AMD's RDNA 4 first pointed to a 2024 release, but most sources now agree that we won't see any new GPUs until 2025. Except EK Water Blocks, a company that now claims that we'll see an announcement "later this year."

EK Water Blocks makes liquid cooling solutions, and it's partnered with both Nvidia and AMD, which makes it harder to determine which GPU manufacturer it's talking about here. According to the latest leaks, both GPU makers aren't launching their new products this year, although one source (admittedly uncertain) claimed that we'd have an announcement this month. This is now the second leak in as many days that implies good news in 2024.

Read more