Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTPS More Vulnerable To Traffic Analysis Attacks Than Suspected

Posted by Unknown on from the working-out-the-bugs dept.

msm1267 writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy. They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said. 'We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,' the paper said. 'Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.'"

2 of 17 comments (clear)

  1. The primary point not in abstratct but not summary by JoshuaZ · · Score: 5, Informative

    The most interesting bit is not in the summary. Given individual websites they could identify which specific webpage one was visiting thus leaking with high probability all sorts of medical, financial and legal information. Examples used include from medicine the websites of the Mayo Clinic and Planned Parenthood, from finance Wells Fargo and Bank of America, and from entertainment Youtube and Netflix. This sort of thing could be used for all sorts of surveillance or blackmail. Even just knowing what Youtube videos one is watching could be used for such ends.

  2. Re:The primary point not in abstratct but not summ by mveloso · · Score: 4, Informative

    The "leaks" seem more like they can track the path of a user through a website, given the structure of the links and the relative size of the pages. I don't think they claimed they could tell what the data was on the page, but sometimes the fact that a user is on a given page is enough (depending on the structure of the site).

    For youtube, they'd have to figure out the relative sizes of all the pages, which might be difficult to do (and the size will change depending on he comments and browser used).