Traffic Analysis of SSL Encrypted Web Browsing

The SSL protocol, an application-layer mechanism widely used for encrypted Web browsing, was not designed to address traffic analysis attacks. We investigate the threat to privacy posed by such attacks and consider possible defenses. We implement a prototype of a traffic analysis attack and employ it to identify the pages visited by users browsing a Web site. Numerical models and simulations are used to predict the effectiveness of traffic analysis on various sites, as well as the efficacy of several possible defenses. Our results show that an attack using simple techniques can identify the pages visited with very high accuracy, and suggest that defenses exist which may provide some degree of privacy protection in many cases.