Proceedings of the 17th ACM conference on Computer and communications security
Fingerprinting websites using remote traffic analysis
Proceedings of the 17th ACM conference on Computer and communications security
Determinating timing channels in compute clouds
Proceedings of the 2010 ACM workshop on Cloud computing security workshop
Private information disclosure from web searches
PETS'10 Proceedings of the 10th international conference on Privacy enhancing technologies
Proceedings of the twenty-third annual ACM symposium on Parallelism in algorithms and architectures
Inferring users' online activities through traffic analysis
Proceedings of the fourth ACM conference on Wireless network security
Privacy-preserving traffic padding in web-based applications
Proceedings of the 10th annual ACM workshop on Privacy in the electronic society
Automated black-box detection of side-channel vulnerabilities in web applications
Proceedings of the 18th ACM conference on Computer and communications security
Proceedings of the second ACM conference on Data and Application Security and Privacy
Privacy streamliner: a two-stage approach to improving algorithm efficiency
Proceedings of the second ACM conference on Data and Application Security and Privacy
Side-channel vulnerability factor: a metric for measuring information leakage
Proceedings of the 39th Annual International Symposium on Computer Architecture
Website detection using remote traffic analysis
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
k-indistinguishable traffic padding in web applications
PETS'12 Proceedings of the 12th international conference on Privacy Enhancing Technologies
Protecting web-based patient portal for the security and privacy of electronic medical records
HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy
Privacy risks in named data networking: what is the cost of performance?
ACM SIGCOMM Computer Communication Review
The most dangerous code in the world: validating SSL certificates in non-browser software
Proceedings of the 2012 ACM conference on Computer and communications security
Collaborative TCP sequence number inference attack: how to crack sequence number under a second
Proceedings of the 2012 ACM conference on Computer and communications security
Scriptless attacks: stealing the pie without touching the sill
Proceedings of the 2012 ACM conference on Computer and communications security
Implementing side-channel attacks on suggest boxes in web applications
Proceedings of the First International Conference on Security of Internet of Things
Practical information flow for legacy web applications
Proceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems
Identity, location, disease and more: inferring your secrets from android public resources
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
SideAuto: quantitative information flow for side-channel leakage in web applications
Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society
Keystroke timing analysis of on-the-fly web apps
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
DupLESS: server-aided encryption for deduplicated storage
SEC'13 Proceedings of the 22nd USENIX conference on Security
Flow stealing: A well-timed redirection attack
Journal of Computer Security - Research in Computer Security and Privacy: Emerging Trends
Hi-index | 0.00 |
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.