As one of the most trusted forms on encryption on the net, HTTPS has also been one of the highest prized targets for all the latest cracks, hacks, and attacks that the pentesting community can come up with.
In the recently published academic study entitled “I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis“, three researchers have revealed that by analyzing the minor differences in data transferred between a user and the server they are connecting to, they were able to detect what movies someone might be watching on Netflix, the number of appointments they’ve scheduled with their doctor, and even whether the person they’ve targeted is pregnant or not.
“The message motivating the technical points and techniques presented in the paper is that, in the case of many HTTPS deployments, maintaining the privacy of which pages a user views within a site matters,” Brad Miller, a PhD candidate at the University of California at Berkeley and the lead author of the paper, wrote in an e-mail. “To see why, consider (1) the range of intermediary parties which can access user traffic and (2) what can be inferred from the pages you view within a website.”
It’s this extreme level of specificity that has caused an uproar in the ranks, with hundreds of different major players on the net scrutinizing the results out of fear they might have put their customers at risk without even realizing it.
The ten websites named in the study include Bank of America, Planned Parenthood, and YouTube just to name a few, and it’s through these portals that the team was able to compile their information and use it to get an 89% accurate picture of all the sordid details that are normally supposed to stay hidden behind a wall of security and secrecy.