Researchers from UC Berkeley and Intel labs will present at a forum next month a study showing how encrypted web traffic can be analyzed to determine intimate details about Internet users.
For the paper, titled “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis,” researchers developed a new technique for web traffic attacks that identifies specific pages on a website with about 89 percent accuracy and can thus reveal details about an Internet user such as sexual orientation and pending medical procedures.
The researchers’ web traffic attack method showed an almost 30 percent increase in effectiveness from previously developed methods.
In the study, the attack was tested on 10 different websites that all use standard encryption technology, known as HTTPS, including Planned Parenthood, Kaiser Permanente, Bank of America, Netflix and YouTube.
“If you go to Planned Parenthood and you type in the word ‘abortion,’ we won’t necessarily see your keystrokes. But once it shows you a results page and you click on a link, we would, with pretty high accuracy, be able to identify that,” said Brad Miller, a co-author of the study and a UC Berkeley graduate student.
According to the study, adversaries accessing such information can potentially use it to discriminate against Internet users and more specifically tailor advertisements to individual consumers.
Employers, Internet service providers and governments generally have the capabilities to conduct such web traffic attacks, the study said.
“This type of attack would be applicable in any situation where somebody can monitor and record your traffic,” Miller said. “For example, if you go to a cafe and connect to Wi-Fi, the cafe would have the ability to record your traffic. Or if you go to work and you use your employer’s Wi-Fi, they can use this attack. Or if you bring your laptop to school, UC Berkeley could record your traffic.”
According to Nick Doty, a graduate student at UC Berkeley’s School of Information, computers relay data via small units of information, called “network packets,” when one visits a web page
“Let’s say you’re talking to a medical website, and when the website responds with a page about HIV, that requires 122 packets to send back,” Doty said. “If someone is listening in … if they get a message with 122 packets they can say ‘Oh, we know (you’re) looking at the HIV page.’ ”
For ways to keep web traffic secure, the study cited a type of defense that changes network packet sizes to make recognition of specific data more difficult.
Doty also added that Internet users should try to use websites secured with HTTPS, which display the icon of a lock in the browser bar. He added that the anonymity software Tor is another option for further protection.
Still, the attacks developed by this study are hard to defend against.
“There have been efforts by ISPs to sell information about your customer browsing in order for people to target advertising,” Miller said. “Ideally, you would like encryption to hide that, but our work shows that HTTPS is not sufficient for this purpose.”
The paper is scheduled to be presented at the Privacy Enhancing Technologies Symposium in Amsterdam on July 16.