- Jan 24, 2011
- 9,378
One thing that’s been made abundantly clear by mathematicians and cryptographers alike is that despite the NSA’s dragnet surveillance of phone calls and Internet traffic, the spy agency has not been able to crack the math holding up encryption technology.
Those who wish to spy and steal on the Internet continuously hit a wall when it comes to crypto algorithms, leaving no alternative but to find a way to subvert the technology in order to reach their targets.
In response, security and privacy experts, as well as cryptographers, have urged companies to turn HTTPS on by default for web-based services such as email and social networking. A group of researchers from UC Berkeley, however this week published a paper, that explains new attacks that aid in the analysis of encrypted traffic to learn personal details about the user, right down to possible health issues, financial affairs and even sexual orientation.
The paper “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” builds on previously successful research on SSL traffic analysis, Tor and SSH tunneling exposing vulnerabilities in HTTPS leading to precise attacks on the protocol that expose sensitive personal information.
The researchers—Brad Miller, Ling Huang, A.D. Joseph and J.D. Tygar—developed new attack techniques they tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in the paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.
“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”
Read more: http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-your-web-surfing/104667
Those who wish to spy and steal on the Internet continuously hit a wall when it comes to crypto algorithms, leaving no alternative but to find a way to subvert the technology in order to reach their targets.
In response, security and privacy experts, as well as cryptographers, have urged companies to turn HTTPS on by default for web-based services such as email and social networking. A group of researchers from UC Berkeley, however this week published a paper, that explains new attacks that aid in the analysis of encrypted traffic to learn personal details about the user, right down to possible health issues, financial affairs and even sexual orientation.
The paper “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” builds on previously successful research on SSL traffic analysis, Tor and SSH tunneling exposing vulnerabilities in HTTPS leading to precise attacks on the protocol that expose sensitive personal information.
The researchers—Brad Miller, Ling Huang, A.D. Joseph and J.D. Tygar—developed new attack techniques they tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in the paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.
“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”
Read more: http://threatpost.com/new-attacks-on-https-traffic-reveal-plenty-about-your-web-surfing/104667
