Google is taking the lead on trying to move the whole Web over to ‘secure’ HTTPS browsing – indeed the company rather bravely admitted that even it’s falling short for its users – but there’s another snag.
Lots of researchers are already using machine learning techniques to demonstrate that this is all kind of junk.
The latest is a university team in Israel that has published a paper showing they were able to identify your OS, browser and what program you’re using on desktop up to a 96 percent accuracy rate on 20,000 pieces of data gathered.
The team looked at traffic at the network level being sent and received, along with the size and frequency of transmission, to reveal patterns that could identify these reasonably sensitive bits of information.
The technique worked whether the computer was on Windows, Linux-Ubuntu or OSX, using Chrome, Internet Explorer, Firefox or Safari, and when accessing YouTube, Facebook and Twitter.
The potential consequences?
An eavesdropper can easily leverage the information about the user to fit an optimal attack vector. A passive adversary may also collect statistics about groups of users for improving their marketing strategy. In addition, an attacker may use tuples statistics [Python list technique for data analysis] for identifying a specific person.
In introducing their work, the researchers cite tens of other papers that have used passive methods like these to gather data from encrypted network traffic.
Tin foil hats all round!