HTTPS is not as secure as we would like to think. Researchers from UC Berkeley have released a study based on traffic analysis of ten popular HTTPS-secured websites which reveals that it is possible to determine “personal details, including medical conditions, financial and legal affairs and sexual orientation,” of visitors to the sites.
The researchers said they have developed an attack proof-of-concept technique that would allow the identification of specific web pages visited by users with an up to 89% accuracy rate after examining traffic patterns on websites spanning several industry sectors, including websites from the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Wells Fargo, Bank of America, Vanguard, ACLU, Legal Zoom, NetFlix, and YouTube.
“HTTPS is far more vulnerable to traffic analysis than has been previously discussed by researchers,” the team stated. “This paper conrms the vulnerability of HTTPS, but more importantly, gives new and much sharper attacks on HTTPS, presenting algorithms that decrease errors.”
The attack methodology uses “clustering techniques” in order to reveal patterns, and then applies a “Gaussian distribution” to identify similarities in each cluster, and can map samples onto a representation that the researchers say is compatible with an array of machine learning techniques.
“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents. Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content, including cookies. Our attack applies clustering techniques to identify patterns in traffic,” the paper reveals.
To carry out the analysis, an attacker would need to be able to visit the same web pages as the target and have access to the target’s traffic data, which is not something that an ordinary Internet user might be able to do, but an ISP or similar would have access to this data and could use it for targeted advertising, or could allow for increased surveillance activities by the government.
“ISPs are uniquely well positioned to target and sell advertising since they have the most comprehensive view of the consumer. Both ISPs and commercial chains of Wi-Fi access points have shown efforts to mine customer data and/or sell advertising,” the researchers said. “These vulnerabilities would allow ISPs to conduct data mining despite the presence of encryption.”
Read More Here… (PDF)