HTTPS: not as secure as previously thought?

Tapping Gaussian functions to analyse which HTTPS pages are being accessed exposes website usage.

HTTPS: not as secure as previously thought?
HTTPS: not as secure as previously thought?

US Researchers have developed a methodology to effectively side step the security behind HTTPS-secured IP transmissions typically used for online banking, payments and other private sessions on the Web.

According to the researchers with the University of California, Berkeley - with support from Intel Labs - if someone has access to the secure Web site that a user is visiting, then they can use pattern analysis to derive what pages the user is visiting, and what data they are inputting.

The report - entitled `Risks and Realisation of HTTPS Traffic Analysis' by Brad Miller, Ling Huang, A. D. Joseph, and J. D. Tygar - suggests the use of Gaussian functions, which are widely used in statistics where they describe the normal distributions. With sufficient Gaussian functions - like venn diagrams - it is possible to derive specific data.

"Due to [the] similarity with the Bag-of-Words approach to document classification, we refer to our technique as Bag-of-Gaussians (BoG). This approach allows us to identify specific pages within a Web site, even when the pages have similar structures and shared resources," says the report.

According to Nigel Stanley, CEO and analyst with Incoming Thought, the research paper makes for some interesting reading, but in order to execute this method of eavesdropping, the hacker would need have access to the user's ISP or corporate systems in order to analyse their `digital exhaust'.

"Quite frankly, if you have this level of access, there are other more simpler methods available," he said.

"Whilst it is interesting, people should not look at this paper and presume that HTTPS is no longer secure. It simply proves that - given enough time, research and resources - any system can be cracked," he added.

For their analysis, US and Intel researchers tested several Web sites in the banking, healthcare and entertainment sectors (eg Netflix) - and achieved 90 percent efficiencies when matching users to the Web pages they had accessed.

To counter the eavesdropping methodology, the researchers suggest that users should consider an electronic chaff technique called `burst padding' which involves the generation of random padding packets when no data is normally transmitted.

Stanley says this technique - security by obfuscation using extraneous data - is nothing new, and dates all the way back to the Second World War, when operators used to generate random noise on their circuits to confuse the enemy.

Mike McLaughlin, a senior pen tester and technical team leader with First Base Technologies, told that the techniques used by the researchers are quite fascinating and clearly involve a lot of work to conduct successfully.

"Since the technique requires ISP-level access, it's clear that there other simpler approaches that could be used," he said, adding that other techniques such as SSL stripping - first proposed several years back - would be a lot easier to use.

"Basically you would need access to the user's IP stream, and if you have that, then you could use a number of other techniques to work out which sites were being accessed," he explained.