HTTPS Traffic Analysis (and Crimea)

First off, Stalin lives!

Fun fact: during the initial stages of the Crimea occupation, Russia’s own Night Wolves biker gang — which Putin is so closely associated with that the Finns once added him to their “arrest on sight” secret criminal blacklist on account of his connection to the gang — the Night Wolves bikers went around Crimea offering “humanitarian aid.” They would go up to Crimean residents and ask them what they wanted, saying the Night Wolves would be ferrying in supplies from “Stalingrad.” (The city, now known as Volgograd, hasn’t carried Isoev Jugashvili’s nom de guerre since 1961.)

Anyway, so check out the Crimean referendum ballot.

Somewhat appropriately perhaps is therefore today’s link from card-carrying siloviki Eugene Kaspersky’s Kaspersky Lab Threatpost blog.

Leading off with the utterly groundless and certainly misleading assertion that the NSA hasn’t been able to crack any crypto — we certainly don’t have any information of the sort, we know they’ve worked to make crypto easier to crack, and Schneier believes the NSA is sitting on a very serious big-deal crack of some really common crypto — it nevertheless makes a good point.

Even without cryptanalysis, just looking at the exact profile of your HTTPS-encrypted traffic to various websites often allows an adversary to tell what exactly you’re doing there.

This is because the data transfer patterns for a given part of the website are similar for different users. Therefore, by watching just the characteristics of the traffic, it’s possible to see if someone’s headed to the “secure whistleblower dropbox” or whatever.

The researchers propose a traffic obfuscation scheme called Burst as a defense. I propose that, since your website is probably all dynamic ANYWAY, you might as well mix up layout templates, image resolutions, and what have you to screw with the snoops.

Bonus points if you can get the traffic profile over time to spell out “FUCK YOU NSA” in Morse code.

“, security and privacy experts, as well as cryptographers, have urged companies to turn HTTPS on by default for web-based services such as email and social networking. A group of researchers from UC Berkeley, however this week published a paper, that explains new attacks that aid in the analysis of encrypted traffic to learn personal details about the user, right down to possible health issues, financial affairs and even sexual orientation.

The paper “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis” builds on previously successful research on SSL traffic analysis, Tor and SSH tunneling exposing vulnerabilities in HTTPS leading to precise attacks on the protocol that expose sensitive personal information.

The researchers—Brad Miller, Ling Huang, A.D. Joseph and J.D. Tygar—developed new attack techniques they tested against 600 leading healthcare, finance, legal services and streaming video sites, including Netflix. Their attack, they said in the paper, reduced errors from previous methodologies more than 3 ½ times. They also demonstrate a defense against this attack that reduces the accuracy of attacks by 27 percent by increasing the effectiveness of packet level defenses in HTTPS, the paper said.

“We design our attack to distinguish minor variations in HTTPS traffic from significant variations which indicate distinct traffic contents,” the paper said. “Minor traffic variations may be caused by caching, dynamically generated content, or user-specific content including cookies. Our attack applies clustering techniques to identify patterns in traffic.”

Using the techniques presented in the paper, an attacker could learn much more about a user’s activity only than just the IP address of the website they’re visiting; specific pages on the site can now be deduced with greater accuracy than previous work, the researcher said.

The paper points out a number of privacy consequences as well beyond government surveillance. For example, enhanced SSL traffic analysis by an ISP can lead to be enhanced customer data mining and intrusive targeted advertising. Employers can also more effectively monitor employees’ traffic and the techniques can also improve the censorship efforts by oppressive regimes, putting the liberties of privacy advocates at risk.[…]

The paper also presents a possible defense against these attacks, which the researchers called Burst, which they demonstrate reduces attack accuracy by 27 percent. The paper said the technique operates between the application and TCP layers and is able to obscure high level features of traffic.

“The Burst defense outperforms defenses which operate solely at the packet level by obscuring features aggregated over entire TCP streams,” the paper said. “Simultaneously, the Burst defense offers deployability advantages over techniques such as HTTPS since the Burst defense is implemented between the TCP and application layers.””

%d bloggers like this: