Skip to Main content Skip to Navigation

Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures

Abstract : Websites commonly use HTTPS to protect their users' private data from network-based attackers. By combining public social network profiles with TLS traffic analysis, we present a new attack that reveals the precise identities of users accessing major websites. As a countermeasure, we propose a novel length-hiding scheme that leverages standard TLS padding to enforce website-specific privacy policies. We present several implementations of this scheme, notably a patch for GnuTLS that offers a rich length-hiding API and an Apache module that uses this API to enforce an anonymity policy for sensitive user files. Our implementations are the first to fully exercise the length-hiding features of TLS and our work uncovers hidden timing assumptions in recent formal proofs of these features. Compared to previous work, we offer the first countermeasure that is standards-based, provably secure, and experimentally effective, yet pragmatic, offering websites a precise trade-off between user privacy and bandwidth efficiency.
Document type :
Complete list of metadata

Cited literature [24 references]  Display  Hide  Download
Contributor : Alfredo Pironti Connect in order to contact the contributor
Submitted on : Monday, September 17, 2012 - 2:40:32 PM
Last modification on : Friday, May 25, 2018 - 12:02:06 PM
Long-term archiving on: : Friday, December 16, 2016 - 2:29:08 PM


Files produced by the author(s)


  • HAL Id : hal-00732449, version 1



Alfredo Pironti, Pierre-Yves Strub, Karthikeyan Bhargavan. Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures. [Research Report] RR-8067, INRIA. 2012. ⟨hal-00732449⟩



Record views


Files downloads