Researchers manage to derive user info from HTTPS

Researchers have demonstrated how encrypted comms traffic can be used to extract data on users' operating systems, browsers and applications.

Researchers manage to derive user info from HTTPS
Researchers manage to derive user info from HTTPS

Security researchers have worked out how to extract details of a user's operating system, applications and browser by monitoring HTTPS traffic. The researchers said the information could be used by hackers to target victims more accurately.

According to a paper published by researchers at Ariel University and the Ben-Gurion University of the Negev in Israel, the information can be gleaned from network traffic with an astonishing accuracy of 96.06 percent.

The researchers looked at computers running Windows, Ubuntu and OS X. They also tested Chrome, Safari, IE and Firefox browsers running YouTube, Facebook and Twitter. The team trawled through 20000 sessions in order to come up with their predictions for a user's environment.

The sniffing of data was done using supervised machine learning techniques, where the algorithm learns a function that given a sample returns a label. The learning is carried out using a dataset of labelled samples.

“In our case, we chose to use sessions as samples where a session is the tuple and the label is the tuple. Thus, our task is inherently a multi class learning with 30 classes ,” said the researchers.

While the data may be encrypted and safe from prying eyes, they managed to figure out this information by looking such things as packet sizes, timings and traffic flow, among other things. Such data could be used to identify groups of people or even individuals.

“We show that despite the use of SSL/TLS, our traffic analysis approach is an effective tool. An eavesdropper can easily leverage the information about the user to fit an optimal attack vector,” said the researchers.

“A passive adversary may also collect statistics about groups of users for improving their marketing strategy. In addition, an attacker may use tuples statistics for identifying a specific person.”

Martin McKeay, senior security advocate at Akamai Technologies, told SCMagazineUK.com that the process of fingerprinting (identifying the operating system and applications in use) the environment of a victim is always one of the first steps an attacker takes.

“The attacker can use this information to find a specific set of application and operating systems, troll an environment in order to refine the attacks they plan to use or learn more about a specific user in a network they have access to,” he said.

“Because the attacker is passively collecting the information used to identify operating systems and applications, there is no traffic from the attacker that can be used to discover or track him.”

He added that if an attacker is after a particular victim, knowing the applications, browser and operating system that the victim is using allows the formation of a very specific attack plan.

“If I can find out that your CEO is using Twitter through Internet Explorer on a Windows system, I can create a spear-phishing email that takes advantage of application, browser and OS vulnerabilities, as well as the fact that the CEO is a known Twitter user. Being able to send an attack that targets the software that's known to be present greatly increases the chances of success.”


Sign up to our newsletters