As the most widely used technology to prevent eavesdropping on the Internet, HTTPS encryption has seen its share of attacks, most of which work by exploiting weaknesses that allow snoops to decode cryptographically scrambled traffic. Now there's a novel technique that can pluck out details as personal as someone's sexual orientation or a contemplation of suicide, even when the protection remains intact.
A recently published academic paper titled "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis" shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it's possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide.
The attack works by carefully analyzing encrypted traffic and taking note of subtle differences in data size and other characteristics of the encrypted contents. In much the way someone holding a wrapped birthday present can tell if it contains a book, a Blu-ray disk, or a box of candy, an attacker can know with a high degree of certainty the specific URL of the HTTPS-protected website. The transport layer security and secure sockets layer protocols underpinning the Web encryption specifically encrypt the URL, so until now, many people presumed an attacker could only deduce the IP address of a site someone was visiting rather than specific pages belonging to that site.
Read 5 remaining paragraphs
A recently published academic paper titled "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis" shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it's possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide.
The attack works by carefully analyzing encrypted traffic and taking note of subtle differences in data size and other characteristics of the encrypted contents. In much the way someone holding a wrapped birthday present can tell if it contains a book, a Blu-ray disk, or a box of candy, an attacker can know with a high degree of certainty the specific URL of the HTTPS-protected website. The transport layer security and secure sockets layer protocols underpinning the Web encryption specifically encrypt the URL, so until now, many people presumed an attacker could only deduce the IP address of a site someone was visiting rather than specific pages belonging to that site.
I'm curious as to exactly how they're going about observing the data they see. Is it a packet sniffer, protocol analyzer or are they using common methods used by some attackers to do it. Of course, some of the things they pointed out in the full article and in yours is that viewers are susceptible to this happening to them by anyone whether they are government or civilian. Also, I read a comment about the encryption keys which was both fascinating because we hadn't discussed it and also unique because of the method they chose -- really what was being discussed. In fact, here's a quote from the comment. " It performs NO recovery of plaintext from the ciphertext, and no attempted recovery of the key. The nature of the key, and the frequency with which it does/does not change and the manner in which it does/does not change is completely irrelevant to the attack.
ReplyDeleteWhat occurs in the use of a small number of test visits (which could even use an unknown key!) to learn the characteristics the encrypted URL for visits to a set of known pages, and then using the characteristics of those visits to make a good guess as the the page visited when examining unknown encrypted requests." So my question to you would be, are they hijacking these sessions to see what the person is looking at or am I missing a key detail here? It sounds to me like they're spying just to see what they can pick up. It's a little scary, though. If they can find out what you're looking at or for, who's to say they won't engineer some scheme to manipulate that?