Encrypted Web traffic can reveal highly sensitive information

Merely knowing what pages a person views on a website can hint at their personal life

Analyzing encrypted Web traffic can potentially reveal highly sensitive information such as medical conditions and sexual orientation, according to a research paper that forecasts how privacy on the Internet may erode.

In a paper titled "I Know Why You Went to the Clinic," researchers show that by observing encrypted Web traffic and identifying patterns, it is possible to know what pages a person has visited on a website, giving clues to their personal life. The paper will be presented July 16 at the Privacy-Enhancing Technology Forum in Amsterdam.

Almost all websites that exchange sensitive data rely on SSL/TLS (Secure Sockets Layer/Transport Security Layer) technology, which encrypts data exchanged between a person's computer and a server.

The data is unreadable, but the researchers developed a traffic analysis attack that makes it possible to identify what individual pages in a website a person has browsed with about 80 percent accuracy. Previous research had shown it was possible to do such analysis, but the accuracy rate was 60 percent.

They evaluated the effectiveness of the attack using 6,000 web pages within 10 websites: the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Wells Fargo, Bank of America, Vanguard, the ACLU, Legal Zoom, Netflix and YouTube.

Studying encrypted page views of health care websites, for example, "have the potential to reveal whether a pending procedure is an appendectomy or an abortion, or whether a chronic medication is for diabetes or HIV/AIDS," they wrote.

"These types of distinctions and others can form the basis for discrimination or persecution and represent an easy opportunity to target advertising for products which consumers are highly motivated to purchase," according to the paper.

In order to execute a traffic analysis attack, an adversary would have to be able to identify the encrypted traffic patterns of a particular site as well as be able to observe the victim's Web traffic. ISPs and employers would have visibility on users' data streams, they wrote.

One way to thwart such analysis is a "burst" defense, which involves modifying packet sizes in an attempt to make traffic less vulnerable to pattern recognition, they wrote.

A "linear" defense pads packet sizes up to multiples of 128, while an "exponential" defense pads the packet sizes up to powers of two. Another approach is to randomly fragment packets, which offers the advantage of not generating additional data.

"The Burst defense offers greater protection, operating between the TCP layer and application layer to pad contiguous bursts of traffic up to pre-defined thresholds uniquely determined for each website," the paper said. "The Burst defense allows for a natural tradeoff between performance and cost, as fewer thresholds will result in greater privacy but at the expense of increased padding."

There are still complications that hamper pattern identification in encrypted web traffic. For example, different operating systems, devices and locations of devices could make the Web traffic appear more diverse and harder to identify.

The research also assumes that a person is browsing the Web through a single tab in their web browser. It was unclear to the researchers how much traffic might be generated by other open tabs and if it could be separated.

Those conditions would also impact how to defend against an attack, as "realistic conditions may substantially contribute to an effective defense," they wrote.

The paper was co-authored by Brad Miller, A.D. Joseph and J.D. Tygar of the University of California at Berkeley and Ling Huang of Intel Labs.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityuniversity of california berkeleyencryptionintel

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?