West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

Re:So...

That's just what they used in their work. The technique seems to be applicable to any other kind of transports as well, they just didn't bother doing that.

Re:So...

[zifn4b]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

At the moment, options are limited. Adobe Flash player with RTMP, HTML5 with RTP, or HLS? The problem is largely that web based video streaming doesn't have a whole lot of options unless you commit to writing your own cross-browser plugin. That is precisely what Flash Player did. We need better standards for video streaming. HTML5 (or perhaps browser adoption of it) didn't really step up to the plate very well.

It's funny to me that a lot of developers seem to think that because you're in the context of a web browser that one needs to use HTTP for everything. That's just simply not true.