Fingerprinting Websites Using Traffic Analysis

The Vulnerability:

SafeWeb's web anonymizing service is supposed to prevent outside observers, such as a government, from observing the web surfing of its users. It does this by encrypting the traffic between SafeWeb and the user. I have discovered that by analyzing the amount of data transferred to a user, it is possible to determine if he/she is accessing a certain website via SafeWeb. This attack can be used by a government, such as the Chinese government, to monitor which of its citizens are using SafeWeb to view seditious websites. SafeWeb is partially funded by the CIA. SafeWeb's web anonymizing technology has been recently licensed to PrivaSec.

The Paper:

Download the paper in [PostScript], [HTML], or [PDF] format. (If you use Adobe's PDF viewer, don't forget that Adobe attacked Dmitry Sklyarov because he researched cryptography.)

Abstract: I present a traffic analysis based vulnerability in SafeWeb, an encrypting web proxy. This vulnerability allows someone monitoring the traffic of a SafeWeb user to determine if the user is visiting certain websites. I also describe a successful implementation of the attack. Finally, I discuss methods for improving the attack and for defending against the attack.

The paper was presented at the Workshop on Privacy Enhancing Technologies. PET2002 was a great conference and I had a lot of fun there. View the slides in [PowerPoint] or [HTML] format. The paper will be published as part of the conference proceedings in the Springer Lecture Notes in Computer Science. The copyright for the paper is currently held by Springer-Verlag.

The Code:

In my eyes, a vulnerability without exploit code is, well, not very useful (and not very fun either >:). In order to help evil governments of the world everywhere, here's my implementation of the attack: fingerprint.txt

To go along with the code, here are some example tcpdump logs to use, in case you don't feel like making your own using PrivaSec.