Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail

  title={Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail},
  author={Kevin P. Dyer and Scott E. Coull and Thomas Ristenpart and Thomas Shrimpton},
  journal={2012 IEEE Symposium on Security and Privacy},
We consider the setting of HTTP traffic over encrypted tunnels, as used to conceal the identity of websites visited by a user. It is well known that traffic analysis (TA) attacks can accurately identify the website a user visits despite the use of encryption, and previous work has looked at specific attack/countermeasure pairings. We provide the first comprehensive analysis of general-purpose TA countermeasures. We show that nine known countermeasures are vulnerable to simple attacks that… 

Identifying Website Users by TLS Traffic Analysis: New Attacks and Effective Countermeasures

This work proposes a novel length-hiding scheme that leverages standard TLS padding to enforce website-specific privacy policies and proposes the first countermeasure that is standards-based, provably secure, and experimentally effective, yet pragmatic.

Techniques and countermeasures of website/wireless traffic analysis and fingerprinting

A unified traffic analysis process model compound of a set of layers that demonstrate the stages of traffic analysis techniques is proposed, and factors that can impact the fingerprinting accuracy are elaborated to show how can the change of such factors affect the success results of fingerprinting.

Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS

This paper proposes a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces, and concludes by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.

Measuring the Impact of HTTP / 2 and Server Push on Web Fingerprinting

This paper created web page models of top Alexa sites that captured the dependency structure of the resources on the site, and evaluated their susceptibility to state-of-the-art web fingerprinting attacks, showing that HTTP/2 presents a smaller fingerprinting surface for an adversary than HTTP/1.1.

Attacking DoH and ECH: Does server name encryption protect users’ privacy?

It is concluded that current proposals for domain encryption may produce a false sense of privacy, and more robust techniques should be envisioned to offer protection to end users.

An investigation on information leakage of DNS over TLS

A DoT fingerprinting method is developed to analyze DoT traffic and determine if a user has visited websites of interest to adversaries and it is shown that information leakage is still possible even when DoT messages are padded.

Zero-delay Lightweight Defenses against Website Fingerprinting

It is found that WF attacks rely on the feature-rich trace front, so FRONT focuses on obfuscating the trace front with dummy packets, and GLUE randomizes the number and distribution of dummy packets for traceto-trace randomness to impede the attacker's learning process.

CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense

The complete specifications of the CS-BuFlo scheme, which is based on the BuFlo defense proposed by Dyer, et al., are laid out and a thorough evaluation of the scheme is performed using empirical data (rather than data from simulations).

Encrypted DNS -> Privacy? A Traffic Analysis Perspective

This paper examines whether encrypting DNS traffic can protect users from traffic analysis-based monitoring and censoring and shows that Tor -- which does not effectively mitigate traffic analysis attacks on web traffic -- is a good defense against DoH traffic analysis.



Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis

This paper proposes a novel method for thwarting statistical traffic analysis algorithms by optimally morphing one class of traffic to look like another class, and shows how to optimally modify packets in real-time to reduce the accuracy of a variety of traffic classifiers while incurring much less overhead than padding.

Privacy Vulnerabilities in Encrypted HTTP Streams

A straightforward traffic analysis attack against encrypted HTTP streams that is surprisingly effective in identifying the source of the traffic and proposes some countermeasures and improvements.

Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier

A novel method that applies common text mining techniques to the normalised frequency distribution of observable IP packet sizes and outperforms previously known methods like Jaccard's classifier and Naïve Bayes that neglect packet frequencies altogether or rely on absolute frequency values.

HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows

Extensive evaluation of HTTPOS on live web traffic shows that it can successfully prevent the state-of-the-art attacks from inferring private information from encrypted HTTP flows and offer much better scalability and flexibility.

Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto or Alice and Bob?

It is demonstrated that current cryptographic techniques do not provide adequate protection when the underlying audio is encoded using bandwidth-saving Variable Bit Rate (VBR) coders.

Inferring the source of encrypted HTTP connections

This work examines the effectiveness of two traffic analysis techniques, based upon classification algorithms, for identifying encrypted HTTP streams, and gives evidence that these techniques will exhibit the scalability necessary to be effective on the Internet.

Automated black-box detection of side-channel vulnerabilities in web applications

A black-box tool for detecting and quantifying the severity of side-channel vulnerabilities by analyzing network traffic over repeated crawls of a web application is described and a new metric based on the Fisher criterion can be used to more robustly reveal side-channels in web applications.

Website Fingerprinting and Identification Using Ordered Feature Sequences

It is pointed out that packet ordering information, though noisy, can be utilized to enhance website fingerprinting and traces of the ordering information remain even under traffic morphing and they can be extracted for identification.

Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow

It is found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search, suggesting the scope of the problem seems industry-wide.

Traffic Analysis of SSL Encrypted Web Browsing

The results show that an attack using simple techniques can identify the pages visited with very high accuracy, and suggest that defenses exist which may provide some degree of privacy protection in many cases.