West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

So...

[TFlan91]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

Re:So...

That's just what they used in their work. The technique seems to be applicable to any other kind of transports as well, they just didn't bother doing that.

Re:So...

[zifn4b]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

At the moment, options are limited. Adobe Flash player with RTMP, HTML5 with RTP, or HLS? The problem is largely that web based video streaming doesn't have a whole lot of options unless you commit to writing your own cross-browser plugin. That is precisely what Flash Player did. We need better standards for video streaming. HTML5 (or perhaps browser adoption of it) didn't really step up to the plate very well.

It's funny to me that a lot of developers seem to think that because you're in the context of a web browser that one needs to use HTTP for everything. That's just simply not true.

Re:So...

[Gr8Apes]

HTML5 using RTP is absolutely satisfactory, as that covers the connection and protocol portions. The payload is a different thing, and that's purely based on implementation. It should be easy enough to add some random data bits on a secondary data pass within the encrypted stream to completely confound such analysis. The real issue here is a crappy implementation that leaks data rather than any issue with encryption.

Automated image recognition is very complex

[CustomSolvers2]

This article talks about matching videos with known ones what, unlikely what some people seem to think, is pretty much all what automated image (or video) recognition is about. For example, recognising that a given picture contains a house is usually the result of having compared the given pixels against the ones in a training set of images with houses. Almost any variation with respect to the training image has a relevant impact on this process (e.g., different structure, colours, positions, distorted pixels, etc). Additionally, these analyses usually consume lots of hardware resources.

Even in case of getting a perfect copy of the original video, just automating the recognition of its contents would represent a further layer of complexity. Something like separating the videos about sports from the ones about movies would be very difficult; virtually impossible when dealing with random inputs and expecting a high enough accuracy.

streams still using Silverlight?

[Gravis+Zero]

I thought Silverlight was supposed to be dead. Besides, if you are using Windows, your first concern obviously isn't privacy.

so what

Why should I care? Netflix already knows what I watch and I have no doubt that they would sell that information.

Compression+HTTPS=Badness

[Traverman]

"Reed and Klimkowski show that this combination of DASH and VBR can produce sequences of video segment sizes (i.e. fingerprints) that are unique for each video." Do we really need yet another lesson to teach us that mixing variably (but deterministically) sized traffic segments with HTTPS is self-defeating? Netflix needs to confront the fact that if they value user privacy over performance, they need to roughly double their bandwidth by appending non-pseudo-random junk traffic to each segment, and enforcing a global minimum segment size. I would go so far as to say, furthermore, that they need to ensure that the latency between segment send times is also highly random (up to some acceptably small limit). Otherwise, at least within the first few hops from their server farm, it would be possible to deduce the video ID just from that stream of latencies, as it's probably being read from the same cache hierarchy using the same processors and busses with roughly consistent behavior. The real threat they've discovered has nothing to do with Silverlight. It regards the implications for doing the same on video sites generally, most notably YouTube, using only modestly more sophisticated techniques. Time to reinvent the DVD rental store...

Video Privacy Protection Act of 1988

[tepples]

The "attack" is described in the rationale for the Video Privacy Protection Act of 1988, which was a response to the release of D.C. Circuit Judge Robert Bork's video rental history and its publication in Washington City Paper before his unsuccessful nomination to the Supreme Court of the United States.