Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow

With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.

[1]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[2]  H. Cheng,et al.  Traffic Analysis of SSL Encrypted Web Browsing , 1998 .

[3]  A. M. Murray Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications , 1999 .

[4]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[5]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[6]  B. Galobardes,et al.  Asking sensitive information: an example with income , 2003, Sozial- und Präventivmedizin.

[7]  David D. Jensen,et al.  Privacy Vulnerabilities in Encrypted HTTP Streams , 2005, Privacy Enhancing Technologies.

[8]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[9]  Mark Handley,et al.  The final nail in WEP's coffin , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[10]  Tadayoshi Kohno,et al.  Devices That Tell on You: Privacy Trends in Consumer Ubiquitous Computing , 2007, USENIX Security Symposium.

[11]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[12]  XiaoFeng Wang,et al.  Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems , 2009, USENIX Security Symposium.

[13]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[14]  Martin Vuagnoux,et al.  Compromising Electromagnetic Emanations of Wired and Wireless Keyboards , 2009, USENIX Security Symposium.

[15]  C. Dima,et al.  Nondeterministic noninterference and deducible information flow , 2022 .

[16]  G. Danezis Traffic Analysis of the HTTP Protocol over TLS , .