Analysis of encrypted web traffic can reveal all kinds of sensitive information about a person, including their sexual orientation and medical conditions, claims a new study on the erosion of Internet privacy.

The study, titled “I Know Why You Went to the Clinic” shows how it’s possible to identify which websites and pages people have visited just by looking at the encrypted traffic from their IP addresses. Using this knowledge, it’s possible to ascertain numerous details about that person’s personal life.

The authors of the study explain how their ‘traffic analysis attack’ allows them to identify what website has been visited with 80 percent accuracy, even when that traffic has been encrypted with SSL/TLS (Secure Sockets Layer/Transport Security Layer) technology. The attack works by studying the encrypted traffic patterns used by each website, looking for tell-tale signs that give away the identity of the site/pages being visited. To test the attack’s effectiveness, the researchers used 6,000 sample pages from ten websites – ACLU, Bank of America, Kaiser Permanente, Legal Zoom, the Mayo Clinic, Netflix, Planned Parenthood, Vanguard, Wells Fargo, and YouTube.

It’s possible to glean extremely sensitive information from such attacks. For example, by studying encrypted page views of health care websites it’s possible to know “whether a pending procedure is an appendectomy or an abortion, or whether a chronic medication is for diabetes or HIV/AIDS,” write the researchers.

“These types of distinctions and others can form the basis for discrimination or persecution and represent an easy opportunity to target advertising for products which consumers are highly motivated to purchase,” according to the paper.

Such attacks can be defended against, however. One of the most effective means of doing so is the so-called “burst” defense, which involves making traffic less vulnerable to pattern recognition by modifying data packet sizes. Another method is the “linear” defense that involves padding packet sizes up to multiples of 128, while packets can also be randomly fragmented in order to avoid generating additional data that might give away the website.

“The Burst defense offers greater protection, operating between the TCP layer and application layer to pad contiguous bursts of traffic up to pre-defined thresholds uniquely determined for each website,” note the authors. “The Burst defense allows for a natural tradeoff between performance and cost, as fewer thresholds will result in greater privacy but at the expense of increased padding.”

The paper, which was co-authored by Brad Miller, A.D. Joseph and J.D. Tygar of the University of California at Berkeley and Ling Huang of Intel Labs, will be presented at the Privacy-Enhancing Technology Forum in Amsterdam on July 16.

photo credit: Yuri Yu. Samoilov via photopin cc