Feeds

Your health, tax, and search data siphoned

Software-as-a-service springs SSL leak

Security for virtualized datacentres

Google, Yahoo, Microsoft's Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.

"Our research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications" offered by Google, Yahoo, and Bing as well as the leading online providers of tax, health and investments services, which the researchers didn't name.

"An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees' laptops, as if they were exposed in plain text in the air."

The paper showed how they were able to deduce the doctor and medical condition of a person who had entered the information into a site operated by "one of the most reputable companies of online services," which runs exclusively over an HTTPS channel. In the case of medical conditions, the details were leaked through the site's auto-suggestion feature, which updates potential entries in response to each keystroke.

The researchers discovered they could "disambiguate" the input by matching each keystroke to the size of the response in the suggestion list. Selections from the site's "Find a Doctor" service were inferred by using the user's IP address to guess her geographic location and then analyzing the packets as they flowed back and forth.

The researchers employed similar techniques to a user of an online tax-preparation application that asks simple questions and tailors future queries based on the answers. By scrutinizing the encrypted responses, they were able to determine the site was asking questions concerning student loan interest deductions, which applied only to tax payers who earned less than $145,000.

By compiling a list of the responses concerning other deductions, it was possible to accurately infer a user's annual income, the researchers said.

They also showed how the auto-suggestion features in Google, Yahoo!, and Bing can leak the search terms users enter, even when traffic is encrypted over WPA. That's because the resulting packets are easy to identify by their "web flow vectors."

The threat is significant because it stems from fundamental characteristics of software-as-a-service applications that have been in vogue for about a decade. Among other things, apps built on AJAX and other Web 2.0 technologies are usually "stateful," meaning they keep track of unique configuration information. Such data often has "low entropy," making it easy for attackers to make educated guesses about its contents.

While a variety of mitigations are available to prevent such attacks, the researchers warn they could come at a high cost. The most obvious solution is to "pad" responses with superfluous data that confuses attackers trying to make sense of the traffic. But the researchers showed the mitigation isn't always effective and they also point out that it adds a considerable amount of traffic to each transaction, which in turn drives up the costs of operation.

"Effective and efficient mitigations have to be application-specific: developers will need to identify the vulnerabilities first, and then specify mitigation policies accordingly," the researchers wrote. "This effort requires analysis of web application semantics, information flow and network traffic patterns."

The scientists are Shuo Chen of Microsoft Research; and Rui Wang, XiaoFeng Wang, and Kehuan Zhang of Indiana University at Bloomington's School of Informatics and Computing. A PDF of the paper is here. Princeton University computer science professor and Freedom to Tinker blogger Ed Felton has additional analysis here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.