While trying to find more information about the Hansen and Sokol talk at BlackHat, I found that Hansen had recommended this recent paper
http://www.informatics.indiana.edu/xw7/WebAppSideChannel-final.pdf which describes practical traffic analysis of particular sites that use HTTPS (just by observing encrypted flows). They mention several clever ways to deduce what the user is doing on the site -- for example, inferring what particular illness a user is researching on a health site, or deducing the contents of a financial chart from its image file size (!). The paper is called "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow". The researchers suggest that web application developers should use padding to make different activities on their sites less distinguishable. That sounds pretty optimistic to me. I've heard other privacy researchers complain that it's extremely hard to get web developers to do things. Obviously, the existence of traffic analysis attacks is not new. I'm wondering about the severity of this problem. The simplest threat scenario for Tor users would be when an attacker in a position to observe a particular user's traffic, but not any exit node traffic, hypothesizes that the user is likely to visit a particular site and builds up a profile of what web browsing traffic to that site will look like. The attacker could then try to confirm the hypothesis that the user is using that site and also try to infer some details of what the user is doing. This is quite different from traffic confirmation because the attacker only has to be present at one end. -- Seth Schoen Senior Staff Technologist sch...@eff.org Electronic Frontier Foundation https://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107 *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/