I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis
This work addresses privacy risks for users of HTTPS-protected websites in domains like healthcare and finance, though it builds incrementally on prior traffic analysis research.
The authors tackled the problem of HTTPS traffic analysis by demonstrating an attack that identifies individual webpages with 89% accuracy, exposing sensitive personal details such as medical conditions and financial affairs. They also proposed a novel defense that reduces attack accuracy to 27% with a 9% traffic increase.
Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.