Ars Technica
Scientist-devised technique determines precise address of SSL-protected websites.
by Dan Goodin
As the most widely used technology to prevent eavesdropping on the Internet, HTTPS encryption has seen its share of attacks, most of which work by exploiting weaknesses that allow snoops to decode cryptographically scrambled traffic. Now there's a novel technique that can pluck out details as personal as someone's sexual orientation or a contemplation of suicide, even when the protection remains intact.
A recently published academic paper titled "I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis" shows how even strongly encrypted Web traffic can reveal highly personal information to employers, Internet service providers, state-sponsored spies, or anyone else with the capability to monitor a connection between a site and the person visiting it. As a result, it's possible for them to know with a high degree of certainty what video someone accessed on Netflix or YouTube, the specific tax form or legal advice someone sought from an online lawyer service, and whether someone visiting the Mayo Clinic website is viewing pages related to pregnancy, headaches, cancer, or suicide.
Rest at:
-or-