Why can someone watching my encrypted LLM traffic still infer what I asked?
κΈ°ν
Whisper Leak, disclosed in late 2025, demonstrated that analyzing packet timing and size patterns in encrypted streaming LLM responses classifies prompt topics with greater than 98% precision across 28 major providers. Some providers including OpenAI and Mistral deployed fixes, but those mitigations address token-length patterns only. A separate attack exploits speculative decoding: the number of tokens accepted per decoding step varies with output content, and that signal leaks through even padded connections because padding does not eliminate the acceptance-rate fluctuation. Proposed defenses such as token batching reduce attack accuracy by 50% but do not eliminate it, and random padding imposes up to 8.7x payload overhead with residual leakage. No provider has shipped a complete mitigation for the speculative decoding variant.
μ μ€μνκ°
Any user querying a streaming LLM from a network that logs traffic is leaking the topic of their query regardless of TLS encryption, including users who believe they are communicating privately with a medical, legal, or financial assistant.
κΈ°ν νκ° λ°©μ
κΈ°ν μ μλ μΈ‘μ κ°μ΄ μλ μ μ£Όκ΄μ νκ°μ λλ€. μΌλ§λ λΆνΈνμ§, μΌλ§λ μμ£Ό λ°μνλμ§, νμ¬ ν΄κ²°μ± μ΄ μΌλ§λ λΆμ‘±νμ§λ₯Ό λ°μν©λλ€. μ μκ° λμμλ‘ λ§λ€ κ°μΉκ° λ λλ€κ³ μκ°ν©λλ€.
λ°μνμ λ μΌλ§λ ν° λΆνΈμ μ΄λνλμ§.
μ€μ λ‘ μΌλ§λ μμ£Ό μ νκ² λλμ§.
νμ¬ μ΄λ₯Ό ν΄κ²°ν λ§ν λκ΅¬κ° μΌλ§λ λΆμ‘±νμ§.
ν΄κ²°ν κ°μΉ μλ λ λ§μ λ¬Έμ λ€
νμ λ«λ μκ° λͺ¨λ AI μ±μ΄ λλ₯Ό μμ΄λ²λ¦¬λ μ΄μ λ 무μμΌκΉ?
AIμλ‘μ΄ λΆμΌλ₯Ό λ°°μ°λ κ²μ΄ μ¬μ ν 무μμ λ¬Όμ΄μΌ ν μ§ μλ κ²μ μν΄ μ νλ°λ μ΄μ λ 무μμΌκΉ?
AIλΉμ λ¬Έκ°λ μ AIκ° λ§ν λ΄μ©μ κ²μ¦ν μ μμκΉ?
AIλͺ¨λΈμ λ²€μΉλ§ν¬λ‘ ν μ€νΈνκ³ κ°μΌλ‘ λ°°ν¬νλ μ΄μ λ 무μμΌκΉ?
AIAI μμ΄μ νΈλ μ μμ μ μ€μλ₯Ό κΈ°μ΅νμ§ λͺ»ν κΉμ?
AIλͺ¨λΈμ΄ μ€μ λ‘ λ¬΄μμΌλ‘ νμ΅νλμ§ μ κ°μ¬ν μ μμκΉμ?