Jump to content

HTTPS can leak your Personal details to Attackers


Recommended Posts

HTTPS can leak your Personal details to Attackers

Explosive revelations of massive surveillance programs conducted by government agencies by the former contractor Edward Snowden triggered new debate about the security and privacy of each individual who is connected somehow to the Internet and after the Snowden’s disclosures they think that by adopting encrypted communications, i.e. SSL enabled websites, over the Internet, they’ll be secure.
People do care of their privacy and many have already changed some of their online habits, like by using HTTPS instead of HTTP while they are surfing the Internet. However, HTTPS may be secured to run an online store or the eCommerce Web site, but it fails as a privacy tool.
The US researchers have found a traffic analysis of ten widely used HTTPS-secured Web sites “exposing personal details, including medical conditions, financial and legal affairs and sexual orientation.”

The UC Berkeley researchers Brad Miller, A. D. Joseph and J. D. Tygar and Intel Labs' researchers, Ling Huang, together in ‘I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis’ (PDF), showed that HTTPS, which is a protocol to transfer encrypted data over the Web, may also be vulnerable to traffic analysis.
Due to similarities with the Bag-of-Words approach to document classification, the researchers refer their analysis as Bag-of-Gaussians (BoG).

“Our attack applies clustering techniques to identify patterns in traffic. We then use a Gaussian distribution to determine similarity to each cluster and map traffic samples into a fixed width representation compatible with a wide range of machine learning techniques,” say the researchers.
They also mentioned that, "all capable adversaries must have at least two abilities." i.e. The attacker must be able to visit the same web pages as the victim, allowing the attacker to identify patterns in encrypted traffic indicative of different web pages and "The adversary must also be able to observe victim traffic, allowing the adversary to match observed traffic with previously learned patterns" they said.
The Test analysis carried out in the study includes health care services, legal services, banking and finance, Netflix and YouTube as well. The traffic analysis attack covered 6,000 individual pages on the ten Web sites and identified individual pages in the same websites with 89% accuracy in associating users with the pages they viewed.
Snowden mentioned previously, "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it" So, the technique allows Government agencies to target HTTPS traffic to mine metadata from ISP Snooping, Employee Monitoring, and which they could use for Surveillance and Censorship purpose.


New Attacks on HTTPS Traffic Reveal Plenty About Your Web SurfingOne thing that’s been made abundantly clear by mathematicians and cryptographers alike is that despite the NSA’s dragnet surveillance of phone calls and Internet traffic, the spy agency has not been able to crack the math holding up encryption technology.

Those who wish to spy and steal on the Internet continuously hit a wall when it comes to crypto algorithms, leaving no alternative but to find a way to subvert the technology in order to reach their targets.

In response, security and privacy experts, as well as cryptographers, have urged companies to turn HTTPS on by default for web-based services such as email and social networking. A group of researchers from UC Berkeley, however this week published a paper, that explains new attacks that aid in the analysis of encrypted traffic to learn personal details about the user, right down to possible health issues, financial affairs and even sexual orientation.

The paper “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” builds on previously successful research on SSL traffic analysis, Tor and SSH tunneling exposing vulnerabilities in HTTPS leading to precise attacks on the protocol that expose sensitive personal information.

The researchers—Brad Miller, Ling Huang, A.D. Joseph and J.D. Tygar—developed new attack techniques they tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in the paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.

“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”

Using the techniques presented in the paper, an attacker could learn much more about a user’s activity only than just the IP address of the website they’re visiting; specific pages on the site can now be deduced with greater accuracy than previous work, the researcher said.

The paper points out a number of privacy consequences as well beyond government surveillance. For example, enhanced SSL traffic analysis by an ISP can lead to be enhanced customer data mining and intrusive targeted advertising. Employers can also more effectively monitor employees’ traffic and the techniques can also improve the censorship efforts by oppressive regimes, putting the liberties of privacy advocates at risk.

The attacks were tested on a number of heavily visited websites, including the Mayo Clinic, Kaiser Permanente, Planned Parenthood, Wells Fargo, Bank of America, Vanguard, Legal Zoom, the ACLU, Netflix and YouTube. The researchers established a baseline by visiting webpages on the respective sites and recording subtle changes to the URLs, especially those brought upon by browser cookies and caching that affect packet sizes for internal pages compared to homepages that are much more highly trafficked.

The researchers said that their techniques, conducted against more than 6,000 webpages, were able to accurately identify internal pages and information 89 percent of the time on average.

The paper also presents a possible defense against these attacks, which the researchers called Burst, which they demonstrate reduces attack accuracy by 27 percent. The paper said the technique operates between the application and TCP layers and is able to obscure high level features of traffic.

“The Burst defense outperforms defenses which operate solely at the packet level by obscuring features aggregated over entire TCP streams,” the paper said. “Simultaneously, the Burst defense offers deployability advantages over techniques such as HTTPS since the Burst defense is implemented between the TCP and application layers.”

Link to comment
Share on other sites

  • Replies 1
  • Views 634
  • Created
  • Last Reply

Top Posters In This Topic

  • humble3d


  • Hritik V.


Top Posters In This Topic

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...