I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis

TL;DR

This paper demonstrates a traffic analysis attack on HTTPS websites, revealing personal details with high accuracy, and proposes a defense that significantly reduces attack effectiveness even under realistic conditions.

Contribution

It introduces a novel traffic analysis attack on HTTPS websites and evaluates its effectiveness and defenses in real-world scenarios with various privacy-preserving mechanisms.

Findings

Attack achieves 89% accuracy in identifying pages

Defense reduces attack accuracy to 27% with minimal traffic increase

Evaluation shows increased effectiveness of prior defenses in realistic settings

Abstract

Revelations of large scale electronic surveillance and data mining by governments and corporations have fueled increased adoption of HTTPS. We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. We examine evaluation methodology and reveal accuracy variations as large as 18% caused by assumptions affecting caching and cookies. We present a novel defense reducing attack accuracy to 27% with a 9% traffic increase, and demonstrate significantly increased effectiveness of prior defenses in our evaluation context, inclusive of enabled caching, user-specific cookies and pages within the same website.