HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows

Leakage of private information from web applications— even when the traffic is encrypted—is a major security threat to many applications that use HTTP for data delivery. This paper considers the problem of inferring from encrypted HTTP traffic the web sites or web pages visited by a user. Existing browser-side approaches to this problem cannot defend against more advanced attacks, and serverside approaches usually require modifications to web entities, such as browsers, servers, or web objects. In this paper, we propose a novel browser-side system, namely HTTPOS, to prevent information leaks and offer much better scalability and flexibility. HTTPOS provides a comprehensive and configurable suite of traffic transformation techniques for a browser to defeat traffic analysis without requiring any server-side modifications. Extensive evaluation of HTTPOS on live web traffic shows that it can successfully prevent the state-of-the-art attacks from inferring private information from encrypted HTTP flows.

[1]  David G. Stork,et al.  Pattern Classification , 1973 .

[2]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[3]  David G. Stork,et al.  Pattern classification, 2nd Edition , 2000 .

[4]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[5]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[6]  Matthew S. Gast,et al.  802.11 Wireless Networks: The Definitive Guide , 2002 .

[7]  Andrew Hintz,et al.  Fingerprinting Websites Using Traffic Analysis , 2002, Privacy Enhancing Technologies.

[8]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  Nick Feamster,et al.  Infranet: Circumventing Web Censorship and Surveillance , 2002, USENIX Security Symposium.

[10]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[11]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[12]  Matthew S Gast 802.11 Wireless Networks: The Definitive Guide, Second Edition , 2005 .

[13]  Daniel J. Barrett,et al.  Ssh, the secure shell: the definitive guide, second edition , 2005 .

[14]  David D. Jensen,et al.  Privacy Vulnerabilities in Encrypted HTTP Streams , 2005, Privacy Enhancing Technologies.

[15]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[16]  P. Wouters,et al.  Building And Integrating Virtual Private Networks With Openswan , 2006 .

[17]  Qing Zhang,et al.  Glavlit: Preventing Exfiltration at Wire Speed , 2006, HotNets.

[18]  Spyros Antonatos,et al.  On the Privacy Risks of Publishing Anonymized IP Network Traces , 2006, Communications and Multimedia Security.

[19]  Xiapu Luo,et al.  Crafting Web Counters into Covert Channels , 2007, SEC.

[20]  Charles V. Wright,et al.  On Web Browsing Privacy in Anonymized NetFlows , 2007, USENIX Security Symposium.

[21]  IEEE INFOCOM 2009 , 2009, INFOCOM 2009.

[22]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[23]  Xiapu Luo,et al.  CLACK: A Network Covert Channel Based on Partial Acknowledgment Encoding , 2009, 2009 IEEE International Conference on Communications.

[24]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Kensuke Fukuda,et al.  Seven Years and One Day: Sketching the Evolution of Internet Traffic , 2009, IEEE INFOCOM 2009.

[26]  Xin Huang,et al.  Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications , 2009, DIMVA.

[27]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[28]  Zhou Li,et al.  Sidebuster: automated detection and quantification of side-channel leaks in web application development , 2010, CCS '10.

[29]  Santosh S. Vempala,et al.  Chipping Away at Censorship Firewalls with User-Generated Content , 2010, USENIX Security Symposium.

[30]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[31]  Yong Wang,et al.  ISP-Enabled Behavioral Ad Targeting without Deep Packet Inspection , 2010, 2010 Proceedings IEEE INFOCOM.

[32]  G. Danezis Traffic Analysis of the HTTP Protocol over TLS , .