Abstract
Large Language Models (LLMs) are increasingly deployed in sensitive domainsincluding healthcare, legal services, and confidential communications, whereprivacy is paramount. This paper introduces Whisper Leak, a side-channel attackthat infers user prompt topics from encrypted LLM traffic by analyzing packetsize and timing patterns in streaming responses. Despite TLS encryptionprotecting content, these metadata patterns leak sufficient information toenable topic classification. We demonstrate the attack across 28 popular LLMsfrom major providers, achieving near-perfect classification (often >98% AUPRC)and high precision even at extreme class imbalance (10,000:1 noise-to-targetratio). For many models, we achieve 100% precision in identifying sensitivetopics like "money laundering" while recovering 5-20% of target conversations.This industry-wide vulnerability poses significant risks for users undernetwork surveillance by ISPs, governments, or local adversaries. We evaluatethree mitigation strategies - random padding, token batching, and packetinjection - finding that while each reduces attack effectiveness, none providescomplete protection. Through responsible disclosure, we have collaborated withproviders to implement initial countermeasures. Our findings underscore theneed for LLM providers to address metadata leakage as AI systems handleincreasingly sensitive information.