Website Fingerprinting Defenses at the Application Layer

Open access

Abstract

Website Fingerprinting (WF) allows a passive network adversary to learn the websites that a client visits by analyzing traffic patterns that are unique to each website. It has been recently shown that these attacks are particularly effective against .onion sites, anonymous web servers hosted within the Tor network. Given the sensitive nature of the content of these services, the implications of WF on the Tor network are alarming. Prior work has only considered defenses at the client-side arguing that web servers lack of incentives to adopt countermeasures. Furthermore, most of these defenses have been designed to operate on the stream of network packets, making practical deployment difficult. In this paper, we propose two application-level defenses including the first server-side defense against WF, as .onion services have incentives to support it. The other defense is a lightweight client-side defense implemented as a browser add-on, improving ease of deployment over previous approaches. In our evaluations, the server-side defense is able to reduce WF accuracy on Tor .onion sites from 69.6% to 10% and the client-side defense reduces accuracy from 64% to 31.5%.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] HTTP/2 specs. “https://http2.github.io/” 2015. (accessed: August 2016).

  • [2] X. Cai R. Nithyanand and R. Johnson. CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense. In Workshop on Privacy in the Electronic Society (WPES) pages 121–130. ACM 2014.

  • [3] X. Cai R. Nithyanand and R. Johnson. Glove: A Bespoke Website Fingerprinting Defense. In Workshop on Privacy in the Electronic Society (WPES) pages 131–134. ACM 2014.

  • [4] X. Cai R. Nithyanand T. Wang R. Johnson and I. Goldberg. A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In ACM Conference on Computer and Communications Security (CCS) pages 227–238. ACM 2014.

  • [5] X. Cai X. C. Zhang B. Joshi and R. Johnson. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In ACM Conference on Computer and Communications Security (CCS) pages 605–616. ACM 2012.

  • [6] S. Chen R. Wang X. Wang and K. Zhang. Side-channel leaks in web applications: A reality today a challenge tomorrow. In IEEE Symposium on Security and Privacy (S&P) pages 191–206. IEEE 2010.

  • [7] H. Cheng and R. Avnur. Traffic Analysis of SSL Encrypted Web Browsing. Project paper University of Berkeley 1998. Available at http://www.cs.berkeley.edu/~daw/teaching/cs261-f98/projects/final-reports/ronathan-heyning.ps.

  • [8] R. Dingledine N. Mathewson and P. F. Syverson. “Tor: The Second-Generation Onion Router”. In USENIX Security Symposium pages 303–320. USENIX Association 2004.

  • [9] K. P. Dyer S. E. Coull T. Ristenpart and T. Shrimpton. Peek-a-Boo I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In IEEE Symposium on Security and Privacy (S&P) pages 332–346. IEEE 2012.

  • [10] Y. Gluck N. Harris and A. Prado. Breach: reviving the crime attack. Unpublished manuscript 2013.

  • [11] J. Hayes and G. Danezis. k-fingerprinting: a Robust Scalable Website Fingerprinting Technique. In USENIX Security Symposium. USENIX Association 2016.

  • [12] D. Herrmann R. Wendolsky and H. Federrath. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier. In ACM Workshop on Cloud Computing Security pages 31–42. ACM 2009.

  • [13] A. Hintz. Fingerprinting Websites Using Traffic Analysis. In Privacy Enhancing Technologies (PETs) pages 171–178. Springer 2003.

  • [14] M. Juarez S. Afroz G. Acar C. Diaz and R. Greenstadt. A critical evaluation of website fingerprinting attacks. In ACM Conference on Computer and Communications Security (CCS) pages 263–274. ACM 2014.

  • [15] M. Juarez M. Imani M. Perry C. Diaz and M. Wright. Toward an Efficient Website Fingerprinting Defense. In European Symposium on Research in Computer Security (ESORICS) pages 27–46. Springer 2016.

  • [16] A. Kwon M. AlSabah D. Lazar M. Dacier and S. Devadas. Circuit fingerprinting attacks: passive deanonymization of tor hidden services. In USENIX Security Symposium pages 287–302. USENIX Association 2015.

  • [17] M. Liberatore and B. N. Levine. “Inferring the source of encrypted HTTP connections”. In ACM Conference on Computer and Communications Security (CCS) pages 255–263. ACM 2006.

  • [18] L. Lu E. Chang and M. Chan. Website Fingerprinting and Identification Using Ordered Feature Sequences. In European Symposium on Research in Computer Security (ESORICS) pages 199–214. Springer 2010.

  • [19] X. Luo P. Zhou E. W. W. Chan W. Lee R. K. C. Chang and R. Perdisci. HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows. In Network & Distributed System Security Symposium (NDSS). IEEE Computer Society 2011.

  • [20] A. Panchenko F. Lanze A. Zinnen M. Henze J. Pennekamp K. Wehrle and T. Engel. Website fingerprinting at internet scale. In Network & Distributed System Security Symposium (NDSS). IEEE Computer Society 2016.

  • [21] A. Panchenko L. Niessen A. Zinnen and T. Engel. Website fingerprinting in onion routing based anonymization networks. In ACM Workshop on Privacy in the Electronic Society (WPES) pages 103–114. ACM 2011.

  • [22] M. Perry. Committed to the official Tor Browser git repository https://gitweb.torproject.org/tor-browser.git/commit/?id=354b3b.

  • [23] M. Perry. Experimental Defense for Website Traffic Fingerprinting. Tor project Blog. “https://blog.torproject.org/blog/experimental-defense-website-traffic-fingerprinting” 2011. (accessed: October 10 2013).

  • [24] M. Perry G. Acar and M. Juarez. personal communication.

  • [25] A. Pinto. Web Page Sizes: A (Not So) Brief History of Page Size through 2015. yottaa.com. “http://www.yottaa.com/company/blog/application-optimization/a-brief-history-of-web-page-size/” 2015. (accessed: April 18 2016).

  • [26] T. Pulls. A golang implementation of the kNN website fingerprinting attack. “https://github.com/pylls/go-knn” 2016. (accessed: May 2016).

  • [27] SecureDrop. securedrop.org. “https://securedrop.org/” 2016. (accessed: April 20 2016).

  • [28] Q. Sun D. R. Simon and Y. M. Wang. Statistical Identification of Encrypted Web Browsing Traffic. In IEEE Symposium on Security and Privacy (S&P) pages 19–30. IEEE 2002.

  • [29] MobiForge. mobiforge.com. “https://mobiforge.com/research-analysis/the-web-is-doom” 2016. (accessed: April 20 2016).

  • [30] T. Wang X. Cai R. Nithyanand R. Johnson and I. Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In USENIX Security Symposium pages 143–157. USENIX Association 2014.

  • [31] T. Wang and I. Goldberg. Improved Website Fingerprinting on Tor. In ACM Workshop on Privacy in the Electronic Society (WPES) pages 201–212. ACM 2013.

  • [32] C. V. Wright S. E. Coull and F. Monrose. Traffic morphing: An efficient defense against statistical traffic analysis. In Network & Distributed System Security Symposium (NDSS). IEEE Computer Society 2009.

Search
Journal information
Cited By
Metrics
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 450 230 13
PDF Downloads 384 277 48