Researchers: https traffic patterns reveal visited pages

Researchers have managed to determine which pages someone has visited via https with a confidence of 89 percent. To do this, however, the https traffic must be intercepted. Never before have researchers managed to analyze https traffic so accurately.

A man in the middle, intercepting an internet user’s traffic, is normally unable to see which pages are visited over https. Only the domain name to which the connection is made is visible. The get-request itself, containing the requested page, is sent over ssl/tls. However, patterns in the encrypted internet traffic can still be observed.

Researchers at Berkeley and Intel have found that in some cases it is even possible to determine which pages have been requested with 89 percent certainty. Until now it was 60 percent. To do this, an attacker must take a number of steps. First, he has to intercept internet traffic. In addition, at least five hundred pages of a particular domain name must have been visited and analyzed by the attacker himself before an indication of a visited page can be given. The researchers succeeded in doing so, among others at an American civil rights organization, a number of banks and an abortion organization.

The researchers note that pages visited can provide indications of a person’s sexual preferences, financial situation and medical problems. Employers, among others, who manage their employees’ internet connection, could abuse this, the researchers say. The same goes for spying governments.

A defense against the attack could be to divide ip packets in half in certain cases, or to apply padding, where random values ​​are added to a packet. The latter is more often done in cryptography, to prevent two identical messages using the same encryption from being linked together.