A Web Traffic Analysis Attack Using Only Timing Information

TL;DR

This paper presents a timing-only attack on encrypted web traffic that is highly effective and bypasses existing padding defenses, revealing vulnerabilities in current privacy protections.

Contribution

It introduces a novel attack method based solely on packet timing, effective against both wired and wireless traffic without needing start/end point knowledge.

Findings

Achieves over 90% success rate in identifying web fetches

Effective against both wired and wireless traffic

Highlights weaknesses in current padding defenses

Abstract

We introduce an attack against encrypted web traffic that makes use only of packet timing information on the uplink. This attack is therefore impervious to existing packet padding defences. In addition, unlike existing approaches this timing-only attack does not require knowledge of the start/end of web fetches and so is effective against traffic streams. We demonstrate the effectiveness of the attack against both wired and wireless traffic, achieving mean success rates in excess of 90%. In addition to being of interest in its own right, this timing-only attack serves to highlight deficiencies in existing defences and so to areas where it would be beneficial for VPN designers to focus further attention.