http://arstechnica.com/security/2014/03/new-attack-on-https-crypto-might-know-if-youre-pregnant-or-have-cancer/
By Dan Goodin
Ars Technica
March 6 2014
As the most widely used technology to prevent eavesdropping on the
Internet, HTTPS encryption has seen its share of attacks, most of which
work by exploiting weaknesses that allow snoops to decode
cryptographically scrambled traffic. Now there's a novel technique that
can pluck out details as personal as someone's sexual orientation or a
contemplation of suicide, even when the protection remains intact.
A recently published academic paper titled "I Know Why You Went to the
Clinic: Risks and Realization of HTTPS Traffic Analysis" shows how even
strongly encrypted Web traffic can reveal highly personal information to
employers, Internet service providers, state-sponsored spies, or anyone
else with the capability to monitor a connection between a site and the
person visiting it. As a result, it's possible for them to know with a
high degree of certainty what video someone accessed on Netflix or
YouTube, the specific tax form or legal advice someone sought from an
online lawyer service, and whether someone visiting the Mayo Clinic
website is viewing pages related to pregnancy, headaches, cancer, or
suicide.
The attack works by carefully analyzing encrypted traffic and taking note
of subtle differences in data size and other characteristics of the
encrypted contents. In much the way someone holding a wrapped birthday
present can tell if it contains a book, a Blu-ray disk, or a box of candy,
an attacker can know with a high degree of certainty the specific URL of
the HTTPS-protected website. The transport layer security and secure
sockets layer protocols underpinning the Web encryption specifically
encrypt the URL, so until now, many people presumed an attacker could only
deduce the IP address of a site someone was visiting rather than specific
pages belonging to that site.
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
