Paper 2014/959

Attacking Suggest Boxes in Web Applications Over HTTPS Using Side-Channel Stochastic Algorithms

Alexander Schaub, Emmanuel Schneider, Alexandros Hollender, Vinicius Calasans, Laurent Jolie, Robin Touillon, Annelie Heuser, Sylvain Guilley, and Olivier Rioul

Abstract

Web applications are subject to several types of attacks. In particular, side-channel attacks consist in performing a statistical analysis of the web traffic to gain sensitive information about a client. In this paper, we investigate how side-channel leaks can be used on search engines such as Google or Bing to retrieve the client's search query. In contrast to previous works, due to payload randomization and compression, it is not always possible to uniquely map a search query to a web traffic signature and hence stochastic algorithms must be used. They yield, for the French language, an exact recovery of search word in more than 30% of the cases. Finally, we present some methods to mitigate such side-channel leaks.

Note: Adding the cipher suite used after handshake between the server and our client in our experiments.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision. CRiSIS 2014
Contact author(s)
sylvain guilley @ telecom-paristech fr
History
2014-11-25: received
Short URL
https://ia.cr/2014/959
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2014/959,
      author = {Alexander Schaub and Emmanuel Schneider and Alexandros Hollender and Vinicius Calasans and Laurent Jolie and Robin Touillon and Annelie Heuser and Sylvain Guilley and Olivier Rioul},
      title = {Attacking Suggest Boxes in Web Applications Over {HTTPS} Using Side-Channel Stochastic Algorithms},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/959},
      year = {2014},
      url = {https://eprint.iacr.org/2014/959}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.