[Cryptography] nytimes.com switches to https
Christian Huitema
huitema at huitema.net
Wed Jan 11 21:16:05 EST 2017
On Wednesday, January 11, 2017 3:19 PM, Peter Gutmann wrote:
> Christian Huitema <huitema at huitema.net> writes:
>
>> The good news is that the use of message length as a side channel is now
>> widely understood. TLS 1.3 supports message padding.
>
> SSLv3 supported message padding. It was just as ineffective then as it
will
> be in TLS 1.3, see e.g. "Peek-a-Boo, I Still See You: Why Efficient
Traffic
> Analysis Countermeasures Fail" by Dyer et al. tl;dr version: To be truly
> effective, the amount of overhead required in terms of dummy traffic and
noise
> is impractical, as much as 400%. Since the goal of TLS 1.3 is to make
content
> delivery by Google et al as efficient as possible, they're not going to
negate
> all that again just to defeat traffic analysis.
To quote from the conclusion of the Peek-a-Boo paper, "Our work paints a
pretty negative picture of the usefulness of efficient, low-level TA
countermeasures against website-fingerprinting attacks. But pessimism need
not prevail." The work demonstrates that given enough "features", one can
train classifiers and recognize which web site is being queried. No doubt
about that.
Note that the paper was about identifying web sites, such as for example
differentiating the NYT from Wikipedia. That's a very hard problem. But we
can start with simpler goals, such as differentiating one Wikipedia article
from another. Still hard, but probably not unattainable.
It will probably require padding of the "page sizes" to a small set of
standard sizes, maybe powers of two or fractional powers of two, thus
defeating the coarse grain features outlined in the Peek-a-Boo paper. That's
substantial padding, up to 100% for the power of 2, a fraction of that for
the fractional power. Will the web site publishers pay for that? Probably
not all of them. But some might.
-- Christian Huitema
More information about the cryptography
mailing list