"We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server," the researchers wrote.