HTTPS More Vulnerable To Traffic Analysis Attacks Than Suspected

msm1267 writes "Researchers have built new attack techniques against HTTPS traffic that have been effective in learning details on users' surfing habits, leaking sensitive data that could impact privacy. They tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in a research paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said. 'We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,' the paper said. 'Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.'"

The primary point not in abstratct but not summary

[JoshuaZ]

The most interesting bit is not in the summary. Given individual websites they could identify which specific webpage one was visiting thus leaking with high probability all sorts of medical, financial and legal information. Examples used include from medicine the websites of the Mayo Clinic and Planned Parenthood, from finance Wells Fargo and Bank of America, and from entertainment Youtube and Netflix. This sort of thing could be used for all sorts of surveillance or blackmail. Even just knowing what Youtube videos one is watching could be used for such ends.