HTTPS is not enough: Boffins fingerprint user environments without cracking crypto

Encryption might hide important content from prying eyes, but a group of Israeli researchers has found that HTTPS traffic alone can fingerprint a user's operating system, browser, and application.

With a big enough learning set, they write, they were able to identify users' environments with 96.06 per cent accuracy.

In their paper at Arxiv, the group – from Ariel University and the Ben-Gurion University of the Negev – show that the characteristics of communication traffic (timing, flows in both directions, variations in packet size and the like) are distinctive enough to create the fingerprint.

It's not only passing spooks that will take an interest in such identification: “A passive adversary may also collect statistics about groups of users for improving their marketing strategy. In addition, an attacker may use tuples statistics for identifying a specific person”, the researchers write.

The information would also help someone targeting an attack, since eavesdroppers (for example, someone sucking traffic out of a public Wi-Fi hotspot) “can easily leverage the information about the user to fit an optimal attack vector”.

The operating systems the researchers tested were Windows, Linux (Ubuntu) and OSX; they tested the Chrome, IE, Firefox and Safari browsers; and the applications in the dataset included Facebook and Twitter.

Connection behaviour had already been used to identify Skype and other VoIP conversations in spite of encryption, but that didn't reach all the way to the underlying operating system, the paper says.

The researchers have published their dataset here for others to test. ®