Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks

Website fingerprinting (WF) is a traffic analysis attack that allows an eavesdropper to determine the web activity of a client, even if the client is using privacy technologies such as proxies, VPNs, or Tor. Recent work has highlighted the threat of website fingerprinting to privacy-sensitive web users. Many previously designed defenses against website fingerprinting have been broken by newer attacks that use better classifiers. The remaining effective defenses are inefficient: they hamper user experience and burden the server with large overheads. In this work we propose Walkie-Talkie, an effective and efficient WF defense. Walkie-Talkie modifies the browser to communicate in half-duplex mode rather than the usual full-duplex mode; half-duplex mode produces easily moldable burst sequences to leak less information to the adversary, at little additional overhead. Designed for the open-world scenario, Walkie-Talkie molds burst sequences so that sensitive and non-sensitive pages look the same. Experimentally, we show that Walkie-Talkie can defeat all known WF attacks with a bandwidth overhead of 31% and a time overhead of 34%, which is far more efficient than all effective WF defenses (often exceeding 100% for both types of overhead). In fact, we show that Walkie-Talkie cannot be defeated by any website fingerprinting attack, even hypothetical advanced attacks that use site link information, page visit rates, and intercell timing.

[1]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[2]  Thomas Ristenpart,et al.  Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Hannes Federrath,et al.  Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-bayes classifier , 2009, CCSW '09.

[4]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[5]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[6]  Tao Wang,et al.  Improved website fingerprinting on Tor , 2013, WPES.

[7]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[8]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing , 2014, RFC.

[9]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  Tao Wang,et al.  On Realistically Attacking Tor with Website Fingerprinting , 2016, Proc. Priv. Enhancing Technol..

[11]  Thomas Engel,et al.  Website fingerprinting in onion routing based anonymization networks , 2011, WPES.

[12]  George Danezis,et al.  k-fingerprinting: A Robust Scalable Website Fingerprinting Technique , 2015, USENIX Security Symposium.

[13]  Brijesh Joshi,et al.  Touching from a distance: website fingerprinting attacks and defenses , 2012, CCS.

[14]  Rachel Greenstadt,et al.  A Critical Evaluation of Website Fingerprinting Attacks , 2014, CCS.

[15]  David D. Jensen,et al.  Privacy Vulnerabilities in Encrypted HTTP Streams , 2005, Privacy Enhancing Technologies.

[16]  Xiapu Luo,et al.  HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows , 2011, NDSS.

[17]  Vitaly Shmatikov,et al.  Beauty and the Burst: Remote Identification of Encrypted Video Streams , 2017, USENIX Security Symposium.

[18]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[19]  Mun Choon Chan,et al.  Website Fingerprinting and Identification Using Ordered Feature Sequences , 2010, ESORICS.

[20]  Tao Wang,et al.  A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses , 2014, CCS.

[21]  Ling Huang,et al.  I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis , 2014, Privacy Enhancing Technologies.

[22]  D. W. Scott,et al.  Multivariate Density Estimation, Theory, Practice and Visualization , 1992 .

[23]  Tao Wang,et al.  Effective Attacks and Provable Defenses for Website Fingerprinting , 2014, USENIX Security Symposium.

[24]  H. Cheng,et al.  Traffic Analysis of SSL Encrypted Web Browsing , 1998 .

[25]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[26]  Xiang Cai,et al.  CS-BuFLO: A Congestion Sensitive Website Fingerprinting Defense , 2014, WPES.

[27]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[28]  Klaus Wehrle,et al.  Website Fingerprinting at Internet Scale , 2016, NDSS.

[29]  Xiang Cai,et al.  Glove: A Bespoke Website Fingerprinting Defense , 2014, WPES.