This article was published on March 17, 2016

User details can reportedly be exposed on over 95% of HTTPS connections


User details can reportedly be exposed on over 95% of HTTPS connections

Google is taking the lead on trying to move the whole Web over to ‘secure’ HTTPS browsing – indeed the company rather bravely admitted that even it’s falling short for its users – but there’s another snag.

Lots of researchers are already using machine learning techniques to demonstrate that this is all kind of junk.

The latest is a university team in Israel that has published a paper showing they were able to identify your OS, browser and what program you’re using on desktop up to a 96 percent accuracy rate on 20,000 pieces of data gathered.

The team looked at traffic at the network level being sent and received, along with the size and frequency of transmission, to reveal patterns that could identify these reasonably sensitive bits of information.

The technique worked whether the computer was on Windows, Linux-Ubuntu or OSX, using Chrome, Internet Explorer, Firefox or Safari, and when accessing YouTube, Facebook and Twitter.

The potential consequences?

An eavesdropper can easily leverage the information about the user to fit an optimal attack vector. A passive adversary may also collect statistics about groups of users for improving their marketing strategy. In addition, an attacker may use tuples statistics [Python list technique for data analysis] for identifying a specific person.

In introducing their work, the researchers cite tens of other papers that have used passive methods like these to gather data from encrypted network traffic.

One showed how statistical computing methods could correctly identify encrypted web pages even when the person was using Tor.

Tin foil hats all round!

Analyzing HTTPS encrypted traffic to identify user’s operating system, browser and application [Ariel University via The Register]

Get the TNW newsletter

Get the most important tech news in your inbox each week.