Practical web-site-specific traffic analyses

Seth David Schoen schoen at eff.org
Fri Jul 30 19:32:43 UTC 2010


While trying to find more information about the Hansen and Sokol
talk at BlackHat, I found that Hansen had recommended this recent
paper

http://www.informatics.indiana.edu/xw7/WebAppSideChannel-final.pdf

which describes practical traffic analysis of particular sites
that use HTTPS (just by observing encrypted flows).  They mention
several clever ways to deduce what the user is doing on the site --
for example, inferring what particular illness a user is researching
on a health site, or deducing the contents of a financial chart
from its image file size (!).  The paper is called "Side-Channel
Leaks in Web Applications: a Reality Today, a Challenge Tomorrow".

The researchers suggest that web application developers should use
padding to make different activities on their sites less
distinguishable.  That sounds pretty optimistic to me.  I've heard
other privacy researchers complain that it's extremely hard to get
web developers to do things.

Obviously, the existence of traffic analysis attacks is not new.
I'm wondering about the severity of this problem.

The simplest threat scenario for Tor users would be when an
attacker in a position to observe a particular user's traffic,
but not any exit node traffic, hypothesizes that the user is
likely to visit a particular site and builds up a profile of
what web browsing traffic to that site will look like.  The
attacker could then try to confirm the hypothesis that the
user is using that site and also try to infer some details of
what the user is doing.  This is quite different from traffic
confirmation because the attacker only has to be present at
one end.

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list