A considerable and growing fraction of servers, especially of web servers, is hosted in compute clouds. In this paper we opportunistically leverage this trend to improve privacy of clients from network attackers residing between the clients and the cloud: We design a system that can be deployed by the cloud operator to prevent a network adversary from determining which of the cloud’s tenant servers a client is accessing. The core innovation in our design is a PoPSiCl (pronounced “popsicle”), a persistent pseudonym for a tenant server that can be used by a single client to access the server, whose real identity is protected by the cloud from both passive and active network attackers. When instantiated for TLS-based access to web servers, our design works with all major browsers and requires no additional client-side software and minimal changes to the client user experience. Moreover, changes to tenant servers can be hidden in supporting software (operating systems and web-programming frameworks) without imposing on web-content development. Perhaps most notably, our system boosts privacy with minimal impact to web-browsing performance, after some initial setup during a user’s first access to each web server.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 W. Almesberger. TCP connection passing. In Linux Symposium volume 1 July 2004.
 A. Aurelius C. Lagerstedt and M. Kihl. Streaming media over the Internet: Flow based analysis in live access networks. In Broadband Multimedia Systems and Broadcasting 2011 IEEE International Symposium on 2011.
 J. Boyan. The Anonymizer: Protecting user privacy on the web. Computer-Mediated Communication Magazine 4(9) Sept. 1997.
 C. Brubaker A. Houmansadr and V. Shmatikov. Cloud-Transport: Using cloud storage for censorship-resistant networking. In Privacy Enhancing Technologies 14th International Symposium volume 8555 of Lecture Notes in Computer Science. July 2014.
 Y. Cao S. Li and E. Williams. (cross-)browser fingerprinting via OS and hardware level features. In ISOC Network and Distributed System Security Symposium Feb. 2017.
 D. Chaum. The dining cryptographers problem: Unconditional sender and recipient unlinkability. Journal of Cryptology 1(1) 1988.
 C. Chen D. E. Asoni D. Barrera G. Danezis and A. Perrig. Hornet: High-speed onion routing at the network layer. In 22nd ACM Conference on Computer and Communications Security pages 1441–1454 2015.
 C. Chen and A. Perrig. Phi: Path-hidden lightweight anonymity protocol at network layer. Proceedings on Privacy Enhancing Technologies 2017(1):100–117 2017.
 L. Constantin. Antivirus software could make your company more vulnerable. PCWorld Jan. 2016. http://goo.gl/Amju2A.
 S. Coull M. P. Collins C. V. Wright F. Monrose and M. K. Reiter. On web browsing privacy in anonymized Net-Flows. In 16th USENIX Security Symposium Aug. 2007.
 R. Dingledine N. Mathewson and P. Syverson. Tor: The second-generation Onion Router. In 13th USENIX Security Symposium Aug. 2004.
 E. Dou and A. Barr. U.S. cloud providers face backlash from China’s censors. The Wall Street Journal 16 March 2015.
 K. P. Dyer S. E. Coull T. Ristenpart and T. Shrimpton. Peek-a-boo I still see you: Why efficient traffic analysis countermeasures fail. In IEEE Symposium on Security and Privacy May 2012.
 K. P. Dyer S. E. Coull and T. Shrimpton. Marionette: A programmable network-traffic obfuscation system. In 24th USENIX Security Symposium 2015.
 N. Feamster M. Balazinska W. Wang H. Balakrishnan and D. Karger. Thwarting web censorship with untrusted messenger discovery. In 3rd International Workshop on Privacy Enhancing Technologies 2003.
 D. Fifield C. Lan R. Hynes P. Wegmann and V. Paxson. Blocking-resistant communication through domain fronting. Proceedings on Privacy Enhancing Technologies 2 2015.
 Fyodor. Remote OS detection via TCP/IP stack fingerprinting. https://nmap.org/nmap-fingerprinting-article.txt Oct. 1998.
 D. Goldman. Google: The reluctant censor of the Internet. CNN Money 4 January 2015.
 K. He A. Fisher L. Wang A. Gember A. Akella and T. Ristenpart. Next stop the cloud: Understanding modern web service deployment in EC2 and Azure. In Internet Measurement Conference Oct. 2013.
 J. Holowczak and A. Houmansadr. CacheBrowser: Bypassing Chinese censorship without proxies using cached content. In 22nd ACM Conference on Computer and Communications Security Oct. 2015.
 H. C. Hsiao T. H. J. Kim A. Perrig A. Yamada S. C. Nelson M. Gruteser and W. Meng. Lap: Lightweight anonymity and privacy. In 2012 IEEE Symposium on Security and Privacy pages 506–520 2012.
 N. Jones M. Arye J. Cesareo and M. J. Freedman. Hiding amongst the clouds: A proposal for cloud-based Onion Routing. In Free and Open Communications on the Internet. USENIX 2011.
 M. Juarez S. Afroz G. Acar C. Diaz and R. Greenstadt. A critical evaluation of website fingerprinting attacks. In ACM Conference on Computer and Communications Security 2014.
 M. Liberatore and B. N. Levine. Inferring the source of encrypted HTTP connections. In 13th ACM Conference on Computer and Communications Security Oct. 2006.
 P. Mockapetris. Domain names – implementation and specification. RFC 1035 RFC Editor Nov. 1987. http://www.rfc-editor.org/rfc/rfc1035.txt.
 R. Moore. TLS Prober – an SSL/TLS server fingerprinting tool. https://github.com/WestpointLtd/tls_prober/blob/master/doc/tls_prober.md Mar. 2015.
 R. Mortier A. Madhavapeddy T. Hong D. Murray and M. Schwarzkopf. Using dust clouds to enhance anonymous communication. In 18th International Workshop on Security Protocols 2014.
 N. Nikiforakis A. Kapravelos W. Joosen C. Kruegel F. Peissens and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy May 2013.
 J. C. Norte. Advanced Tor browser fingerprinting. http://jcarlosnorte.com/security/2016/03/06/advanced-tor-browser-fingerprinting.html Mar. 2016.
 G. Owen and N. Savage. The Tor dark net. No. 20 Global Commission on Internet Governance Paper Series Sept. 2015.
 A. Panchenko F. Lanze A. Zinnen M. Henze J. Pennekamp K. Wehrle and T. Engel. Website fingerprinting at Internet scale. In ISOC Network and Distributed System Symposium Feb. 2016.
 A. Parsovs. Practical issues with TLS client certificate authentication. In ISOC Network and Distributed System Security Symposium Feb. 2014.
 B. Pfaff J. Pettit T. Koponen E. Jackson A. Zhou J. Rajahalme J. Gross A. Wang J. Stringer P. Shelar K. Amidon and M. Casado. The design and implementation of open vswitch. In 12th USENIX Symposium on Networked Systems Design and Implementation May 2015.
 A. Pfitzmann and M. Waidner. Networks without user observability. Computers and Security 6(2) Apr. 1987.
 S. Ragan. Hola VPN client vulnerabilities put millions of users at risk. CSO Mar. 2015. http://goo.gl/yZnkzF.
 J. Ruderman. Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy Mar. 2016.
 J. Sankey and M. Wright. Dovetail: Stronger anonymity in next-generation internet routing. Proceedings on Privacy Enhancing Technologies pages 283–303 2014.
 L. Seltzer. Research shows antivirus products vulnerable to attack. ZDNet Feb. 2016. http://goo.gl/9kbgqX.
 T. Wang X. Cai R. Johnson and I. Goldberg. Effective attacks and provable defenses for website fingerprinting. In 23rd USENIX Security Symposium Aug. 2014.
 E. Wustrow S. Wolchok I. Goldberg and J. A. Halderman. Telex: Anticensorship in the network infrastructure. In 20th USENIX Security Symposium Aug. 2011.
 H. Zolfaghari and A. Houmansadr. Practical censorship evasion leveraging content delivery networks. In ACM Conference on Computer and Communications Security Oct. 2016.