User Profiling in the Time of HTTPS | Gonzalez, Soriente, Laoutaris

Roberto Gonzalez, Claudio Soriente, Nikolaos Laoutaris; User Profiling in the Time of HTTPS; In Proceedings of the Internet Measurement Conference (IMC); 2016; 7 pages.

Abstract

Tracking users within and across websites is the base for profiling their interests, demographic types, and other information that can be monetised through targeted adver#tising and big data analytics. The advent of HTTPS was supposed to make profiling harder for anyone beyond the communicating end-points. In this paper we examine to what extent the above is true. We first show that by knowing the domain that a user visits, either through the Server Name Indication of the TLS protocol or through DNS, an eavesdropper can already derive basic profiling information, especially for domains whose content is homogeneous. For domains carrying a variety of categories that depend on the particular page that a user visits, e.g., news portals, e-commerce sites, etc., the basic profiling technique fails. Still, accurate profiling remains possible through transport layer fingerprinting that uses network traffic signatures to infer the exact page that a user is browsing, even under HTTPS. We demonstrate that transport fingerprinting remains robust and scalable despite hurdles such as caching, dynamic content for different device types etc.Overall our results indicate that although HTTPS makes profiling more difficult, it does not eradicate it by any means.

References

  1. J. M. Carrascosa, J. Mikians, R. Cuevas, V. Erramilli, N. Laoutaris. “I always feel like somebody’s watching me: measuring online behavioural advertising,” in Proceedings of ACM CoNEXT’15. 2015.
  2. “Display Planner basics”, Google
  3. “SSL compliance”, Google.
  4. M. Belshe, R. Peon, M. Thomson. “Hypertext transfer protocol version 2 (http/2),” RFC 7540, RFC Editor, 2015-05.
  5. “HTTPS Everywhere”, Mozilla.
  6. R. Dingledine, N. Mathewson, P. Syverson. “Tor: The second-generation onion router,” Technical Report. DTIC Document, 2004.
  7. T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, M. Abadi, “Host fingerprinting and tracking on the web: Privacy and security implications,” In Proceedings of NDSS’12. 2012.
  8. A. Hintz, “Fingerprinting websites using traffic analysis,” In Proceedings of PETS’02. 2002.
  9. D. Herrmann, R. Wendolsky, H. Federrath, “Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial naïve-Bayes classifier,” In Proceedings of CCSW’09. 2009.
  10. A. Panchenko, L. Niessen, A. Zinnen, and T. Engel, “Website fingerprinting in onion routing based anonymization networks,” in Proceedings of of ACM WPES’11. 2011.
  11. A. Panchenko, F. Lanze, A. Zinnen, M. Henze, J. Pennekamp, K. Wehrle, T. Engel, “Website fingerprinting at internet scale,” in Proceedings of NDSS’16. 2016.
  12. “Alexa Top Sites”