Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures

Abstract : Websites commonly use HTTPS to protect their users' private data from network-based attackers. By combining public social network profiles with TLS traffic analysis, we present a new attack that reveals the precise identities of users accessing major websites. As a countermeasure, we propose a novel length-hiding scheme that leverages standard TLS padding to enforce website-specific privacy policies. We present several implementations of this scheme, notably a patch for GnuTLS that offers a rich length-hiding API and an Apache module that uses this API to enforce an anonymity policy for sensitive user files. Our implementations are the first to fully exercise the length-hiding features of TLS and our work uncovers hidden timing assumptions in recent formal proofs of these features. Compared to previous work, we offer the first countermeasure that is standards-based, provably secure, and experimentally effective, yet pragmatic, offering websites a precise trade-off between user privacy and bandwidth efficiency.
Document type :
Reports
Complete list of metadatas

Cited literature [24 references]  Display  Hide  Download

https://hal.inria.fr/hal-00732449
Contributor : Alfredo Pironti <>
Submitted on : Monday, September 17, 2012 - 2:40:32 PM
Last modification on : Friday, May 25, 2018 - 12:02:06 PM
Long-term archiving on: Friday, December 16, 2016 - 2:29:08 PM

File

RR-8067.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00732449, version 1

Collections

Citation

Alfredo Pironti, Pierre-Yves Strub, Karthikeyan Bhargavan. Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures. [Research Report] RR-8067, INRIA. 2012. ⟨hal-00732449⟩

Share

Metrics

Record views

1023

Files downloads

1190