‘Secure’ web browsing using HTTPS may not be as private as most web users hope – as University of Berkeley researchers have revealed a technique for identifying individual web pages visited ‘securely’ by users, with up to 89% accuracy, revealing data such as health conditions, financial details and sexual orientation.
The researchers used a new form of traffic analysis attack against 6,000 web pages hosted on sites including hospital clinics and video-streaming sites such as Netflix and YouTube. The team claim their technique is more than three times more accurate at identifying pages visited than any previous algorithm.
“Our attack identies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation,” the researchers write in the paper I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis.
The technique achieves an accuracy of 89% compared to 60% with previous techniques, the team writes.
The Register comments, “HTTPS may be good at securing financial transactions, but it isn’t much use as a privacy tool.”
The attack uses multiple methods of statistical analysis to yield its results, The Register reports. “Our attack applies clustering techniques to identify patterns in traffic. We then use a Gaussian distribution to determine similarity to each cluster and map traffic samples into a fixed width representation compatible with a wide range of machine learning techniques,” the researchers write.
The attacker has to be able to visit the same websites as the victim, and have access to the victim’s traffic data – but this is data freely available to authorities such as ISPs and employers, the researchers note.
“ISPs are uniquely well positioned to target and sell advertising since they have the most comprehensive view of the consumer. Both ISPs and commercial chains of Wi-Fi access points have shown efforts to mine customer data and/or sell advertising. These vulnerabilities would allow ISPs to conduct data mining despite the presence of encryption,” the researchers say.
The researchers point out that the technique would also allow employers to monitor web pages visited by employees – including, potentially, corporate whistleblowers.
“Analysis would allow employers to remove many of the protections expected by employees using HTTPS to protect their sensitive communications from untrusted parties,” they write.
The researchers write that oppressive regimes could also use the technique to target dissidents.
The paper suggests various techniques that could obscure the browsing habits of users from anyone wishing to intrude on them, reducing the effectiveness of the attack to 27%. The researchers say that more research is needed into how effective the attack is in “real life” browsing situations where users may be using several tabs at once, and different browsers and devices, including mobiles.
Author Rob Waugh, We Live Security