Abstract
Web applications are subject to several types of attacks. In particular, side-channel attacks consist in performing a statistical analysis of the web traffic to gain sensitive information about a client. In this paper, we investigate how side-channel leaks can be used on search engines such as Google or Bing to retrieve the client’s search query. In contrast to previous works, due to payload randomization and compression, it is not always possible to uniquely map a search query to a web traffic signature and hence stochastic algorithms must be used. They yield, for the French language, an exact recovery of search word in more than \(30\) % of the cases. Finally, we present some methods to mitigate such side-channel leaks.
The online demo of the attack (presented at the CRiSIS 2014 conference) is available on YouTube, at address: http://youtu.be/ynG6tuqeIuM.
Annelie Heuser is Google European fellow in the field of privacy and is partially founded by this fellowship.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See description of Google Instant: http://goo.gl/WI9Zu and Google Autocomplete: http://goo.gl/jv3fQ.
- 2.
More precisely, the sizes of the packets sent by the user are fixed for a given number of letters, and the sizes of received packets containing suggestions depend only on the word typed by the user (it may only change if Google changes the suggested search queries).
- 3.
- 4.
This is known as Google Instant.
References
A Face Is Exposed for AOL Searcher, New York Times article, 9 August 2006. http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482. Accessed 27 July 2014
Making Search More Secure, 18 October 2011. http://googleblog.blogspot.fr/2011/10/making-search-more-secure.html. Accessed 27 July 2014
Post-PRISM, Google Confirms Quietly Moving To Make All Searches Secure, Except For Ad Clicks, 23 September 2013. http://searchengineland.com/post-prism-google-secure-searches-172487. Accessed 17 July 2014
Cantino, A.: Demasking Google Users With a Timing Attack (blog post). http://blog.andrewcantino.com/blog/2014/09/04/demasking-google-users-with-a-timing-attack/
Chen, S., Wang, R., Wang, X., Zhang, K.:Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (SP 2010), pp. 191–206 (2010)
Liberatore, M., Levine, N.B.: Inferring the source of encrypted HTTP connections. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pp. 255–263. ACM, New York (2006)
Herrmann, D., Wendolsky, R., Federrath, H.: Website fingerprinting: attacking popular privacy enhancing technologies with the multinomial Naïve-Bayes classifier. In: Proceedings of the 2009 ACM Workshop on Cloud Computing Security (CCSW 2009), pp. 31–42 (2009)
Mather, L., Oswald, E.: Pinpointing side-channel information leaks in web applications. J. Cryptogr. Eng. 2(3), 161–177 (2012). Also available in ICAR ePrint 2012:269
Sampreet Sharma, A., Bernard Menezes, M.: Implementing side-channel attacks on suggest boxes in web applications. In: Proceedings of the First International Conference on Security of Internet of Things, SecurIT 2012, Amritapuri, Kollam, pp. 57–62 (2012)
Fredkin, E.: Trie memory. Commun. ACM 3(9), 490–499 (1960)
Tey, C.M., Gupta, P., Gao, D., Zhang, Y.: Keystroke timing analysis of on-the-fly web apps. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 405–413. Springer, Heidelberg (2013)
Nassar, M., Guilley, S., Danger, J.-L.: Formal analysis of the entropy/security trade-off in first-order masking countermeasures against side-channel attacks. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 22–39. Springer, Heidelberg (2011)
Backes, M., Doychev, G., Köpf, B.: Preventing side-channel leaks in web traffic: a formal approach. In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, 24–27 February 2013, 17 p. http://internetsociety.org/doc/preventing-side-channel-leaks-web-traffic-formal-approach
Dyer, K.P., Coull, S.E., Ristenpart, T., Shrimpton, T.: Peek-a-Boo, i still see you: why efficient traffic analysis countermeasures fail. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP 2012), San Francisco, California, USA, pp. 332–346 (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Schaub, A. et al. (2015). Attacking Suggest Boxes in Web Applications Over HTTPS Using Side-Channel Stochastic Algorithms. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)