English subtitles

← TLS Information Leak Solution - Applied Cryptography

Get Embed Code
1 Language

Showing Revision 2 created 05/25/2016 by Udacity Robot.

  1. The answer is many, many things that we should be worried about.
  2. The attacker might not learn the exact size, because of padding on the request
  3. up to the block size.
  4. The same thing for the responses. The attacker also learns the pattern.
  5. This reveals a lot about a webpage.
  6. Because of optimizations and HTTP, there are often multiple responses to one request.
  7. This could be because the large page is broken into many responses.
  8. It could be because there are many images on the page, and they respond,
  9. and although they would normally require separate requests,
  10. because of caching they could be sent before those requests.
  11. These patterns are very distinguishing.
  12. Different webpages will have different sizes of response as well as a different pattern.
  13. An example of where this is particularly dangerous
  14. in modern web applications--we're using HTTPS connected to Google.
  15. Now when I type a letter, I get a response.
  16. It's filling up the guesses of what I'm going to type next.
  17. The size of this response depends on the letter than I typed.
  18. If I type another letter, I get a different response.
  19. You can see that udacity is the most popular word starting with "ud,"
  20. at least according to when I'm using Google.
  21. I don't know if that's true for everyone.
  22. But that size differs, and if I type another letter I get a different response.
  23. The size of these responses depend on the letters I'm typing.
  24. The length of these words will effect the size of the response.
  25. You can build a model that would identify what someone is typing
  26. based on the sizes of these responses.
  27. There is a paper by a group from Microsoft Research that shows some of these vulnerabilities
  28. and how much information that an attacker can learn from that.
  29. There's another paper by Peter Chapman and myself,
  30. and you may remember Peter if you took CS101. He was the TA for that.
  31. It looked at ways of measuring this and understanding how much information is really leaking.
  32. This is a serious attack.
  33. It's something that even though the encryption is there, that an attacker can learn a lot
  34. about what's going on on a webpage.