- Patterns in HTTPS traffic can reveal persona detailsBy analyzing patterns in encrypted web traffic, researchers found that they can identify access to specific pages on a website with an accuracy of 89%, even if they resources are being shared.
The research is at the beginning, and has been documented in a paper called “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis,” to be presented in July, at the Privacy Enhancing Technologies Symposiun, in Amsterdam.
It is based on attacks carried out on more than 6,000 web paged spanning the HTTPS deployments of 10 widely-used websites in areas ranging from healthcare and finance to video streaming.
According to the paper, observing patterns in encrypted traffic could give an attacker insight to personal details such as medical conditions and their type, and even the sexual orientation by determining the video rental history of the victim.
In order to do that, the attacker needs to know the pages visited by the victim, so that the patterns in the encrypted traffic can be observed, and to be able to monitor the traffic in order to match it with previously learned patterns.
The attack model proposed consists in crawling of the website to gather URLs and then analyzing them “to produce a canonicalization function which, given a URL, returns a canonical label for the webpage loaded as a result of entering the URL into a browser address bar.” The canonicalization function is then used to create a graph of the website.
Among the adversaries that meet the two requirements are ISPs (Internet Service Providers), employers that can monitor all activity on the network and spying agencies.
Multiple defense techniques are also proposed, the Burst approach being the most effective because it modifies the packet sizes and the makes pattern recognition more difficult.
“Burst defense which operates between the application and TCP layers to obscure high level features of traffic while minimizing overhead,” the researchers wrote.
The researchers say that their evaluation techniques bring an improved accuracy, to 89%, from the 60% recorded with other methods.
The websites included in the research included the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Wells Fargo, Bank of America, Vanguard, the ACLU, Legal Zoom, Netflix and YouTube.
Interpretation of the results focuses on caching and user-specific cookies and does not explore factors such as browser differences, operating system differences or mobile devices used by the victim, which would lead to a lower accuracy.
Source
