Skip to content
AI

Why can someone watching my encrypted LLM traffic still infer what I asked?

79

기회

Whisper Leak, disclosed in late 2025, demonstrated that analyzing packet timing and size patterns in encrypted streaming LLM responses classifies prompt topics with greater than 98% precision across 28 major providers. Some providers including OpenAI and Mistral deployed fixes, but those mitigations address token-length patterns only. A separate attack exploits speculative decoding: the number of tokens accepted per decoding step varies with output content, and that signal leaks through even padded connections because padding does not eliminate the acceptance-rate fluctuation. Proposed defenses such as token batching reduce attack accuracy by 50% but do not eliminate it, and random padding imposes up to 8.7x payload overhead with residual leakage. No provider has shipped a complete mitigation for the speculative decoding variant.

μ™œ μ€‘μš”ν•œκ°€

Any user querying a streaming LLM from a network that logs traffic is leaking the topic of their query regardless of TLS encryption, including users who believe they are communicating privately with a medical, legal, or financial assistant.

기회 평가 방식

기회 μ μˆ˜λŠ” 츑정값이 μ•„λ‹Œ 제 주관적 ν‰κ°€μž…λ‹ˆλ‹€. μ–Όλ§ˆλ‚˜ λΆˆνŽΈν•œμ§€, μ–Όλ§ˆλ‚˜ 자주 λ°œμƒν•˜λŠ”μ§€, ν˜„μž¬ 해결책이 μ–Όλ§ˆλ‚˜ λΆ€μ‘±ν•œμ§€λ₯Ό λ°˜μ˜ν•©λ‹ˆλ‹€. μ μˆ˜κ°€ λ†’μ„μˆ˜λ‘ λ§Œλ“€ κ°€μΉ˜κ°€ 더 λ†’λ‹€κ³  μƒκ°ν•©λ‹ˆλ‹€.

심각도8/10

λ°œμƒν–ˆμ„ λ•Œ μ–Όλ§ˆλ‚˜ 큰 λΆˆνŽΈμ„ μ΄ˆλž˜ν•˜λŠ”μ§€.

λΉˆλ„8/10

μ‹€μ œλ‘œ μ–Όλ§ˆλ‚˜ 자주 μ ‘ν•˜κ²Œ λ˜λŠ”μ§€.

곡백 μ˜μ—­8/10

ν˜„μž¬ 이λ₯Ό ν•΄κ²°ν•  λ§Œν•œ 도ꡬ가 μ–Όλ§ˆλ‚˜ λΆ€μ‘±ν•œμ§€.

ν•΄κ²°ν•  κ°€μΉ˜ μžˆλŠ” 더 λ§Žμ€ λ¬Έμ œλ“€