I’m always fascinated by side-channel attacks where the attack is focused on the underlying architecture of the cryptosystem and the data echos it creates rather than the algorithm or implementation itself. Similar somewhat to the recent breaking of OpenSSL using power fluctuations.
This time some researcher type fellas focused on the digital noise autocomplete webforms make over an encrypted connection and how it can expose some pretty sensitive data such as medical histories, income, search queries and more.
Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.
Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.
“Our research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications” offered by Google, Yahoo, and Bing as well as the leading online providers of tax, health and investments services, which the researchers didn’t name.
There’s a lot of inference going on but from what I understand of the attack it would only get more accurate as they collected more data and refined the pattern matching.
The attack can succeed over SSL (https connections) or WPA encrypted wireless sessions.
It’s like a rather complex puzzle piecing together different snippets of meta data to come out with an answer, which so far seems to be working well.
They also showed how the auto-suggestion features in Google, Yahoo!, and Bing can leak the search terms users enter, even when traffic is encrypted over WPA. That’s because the resulting packets are easy to identify by their “web flow vectors.”
The threat is significant because it stems from fundamental characteristics of software-as-a-service applications that have been in vogue for about a decade. Among other things, apps built on AJAX and other Web 2.0 technologies are usually “stateful,” meaning they keep track of unique configuration information. Such data often has “low entropy,” making it easy for attackers to make educated guesses about its contents.
While a variety of mitigations are available to prevent such attacks, the researchers warn they could come at a high cost. The most obvious solution is to “pad” responses with superfluous data that confuses attackers trying to make sense of the traffic. But the researchers showed the mitigation isn’t always effective and they also point out that it adds a considerable amount of traffic to each transaction, which in turn drives up the costs of operation.
Honestly as a real life attack, apart from corporate espionage or identity theft I don’t see how it is very practical or dangerous.
Plus mitigation will produce a lot of redundant data and increase operation costs, who wants that?
You can get the full white-paper here:
WebAppSideChannel-final.pdf [PDF]
Source: The Register