"You insert a packet with the same identification," said Bijl. "There's no way to distinguish it from the real answer as far as the browser is concerned."
Bijl added that communications also have to be in the clear. Encrypted traffic is safe.
And content delivery networks can improve the delivery speeds of legitimate content to the point where it's difficult for the Quantum Insert packet to get to the victim first.
How to detect a Quantum Insert attack
According to Fox-IT, spotting a Quantum Insert attack involves looking for duplicate HTTP response packets that are carrying different contents.
Depending on whether the attacker or the real website won the race to the victim, either the first or the second of the duplicate packets will be the fake one.
Fox-IT has published the code for detecting Quantum Insert and released it on github.
Sign up for CIO Asia eNewsletters.