A new paper titled ‘I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis’, evaluates the risks of traffic analysis on HTTPS connections in a post Edward Snowden world, and shows that even when protected by SSL encryption, it is possible to identify webpages in the same website visited by an individual with 89 percent accuracy.
The report examines an HTTPS traffic analysis attack against over 6000 webpages, covering some of the most sensitive kinds of information accessible on the web, including from healthcare, Legal, financial, and streaming video services in the US, and attempts to discover the actual pages visited by individuals to the websites, rather than just the mere fact of their visiting the website.
‘We present several categories of website in which the specific pages accessed by the user are more interesting that the mere fact that the user is visiting the website at all. This notion is present in the traditional privacy concepts such as patient confidentiality or attorney-client privilege, where the content of a communication is substantially more sensitive than the simple presence of communication.’
Scenarios proposed for possible attack motives include ISP snooping (because they ‘are uniquely well positioned to target advertising since they have the most comprehensive view of the customer), employee monitoring (a power which has can and is abused, and a category that extends to whistleblowers), surveillance (referencing the NSA, and most notably their attempt to specifically target HTTPS, although ‘other governments around the world have long employed these practices’) , and censorship (such as that in China).
The methodology used by the researchers in their attacks is complex, but in their Evaluation they find that with their Bag-of-Gaussians (BoG) attack, they achieved not only an 89 percent accuracy overall, but that ‘only 4 of the 10 websites included in evaluation have accuracy below 92%’.
The paper then goes on to present ‘unique’ solutions for minimising the effectiveness of such attacks, showing how their accuracy can be reduced to ‘27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.’
However, to increase the likelihood that such measures be widely deployed, the study calls for further work to ‘investigate necessary defense measures under increasingly realistic conditions.’