[Pearg] Website fingerprinting with QUIC

Christian Huitema <huitema@huitema.net> Thu, 04 February 2021 20:52 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: pearg@ietfa.amsl.com
Delivered-To: pearg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E93A3A17F8 for <pearg@ietfa.amsl.com>; Thu, 4 Feb 2021 12:52:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.787
X-Spam-Level:
X-Spam-Status: No, score=-1.787 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHqKUmeQiV9L for <pearg@ietfa.amsl.com>; Thu, 4 Feb 2021 12:52:10 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E2973A17F7 for <pearg@irtf.org>; Thu, 4 Feb 2021 12:52:10 -0800 (PST)
Received: from xse462.mail2web.com ([66.113.197.208] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1l7lbf-0000F7-Tw for pearg@irtf.org; Thu, 04 Feb 2021 21:52:05 +0100
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4DWrMN4vW9z2p5 for <pearg@irtf.org>; Thu, 4 Feb 2021 12:52:00 -0800 (PST)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1l7lbc-0006R5-Ii for pearg@irtf.org; Thu, 04 Feb 2021 12:52:00 -0800
Received: (qmail 22623 invoked from network); 4 Feb 2021 20:51:59 -0000
Received: from unknown (HELO [192.168.1.106]) (Authenticated-user:_huitema@huitema.net@[172.58.43.208]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <pearg@irtf.org>; 4 Feb 2021 20:51:59 -0000
To: "pearg@irtf.org" <pearg@irtf.org>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <4d4dbbd4-c929-0e3f-de93-7790b1d7d7ea@huitema.net>
Date: Thu, 4 Feb 2021 12:51:59 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------022E77F6991F5F9DF22119DE"
Content-Language: en-US
X-Originating-IP: 66.113.197.208
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5yiJCcjRq2hqrD2/ptWXAoffYzfQXcfqmra3dmoHS4ygl4m PTCsiqbG9dobZto2s5RWuRWrkPihq53YqAd1ENNqBHtNXu1E6L4+KyOXc4QYanQOD0r6/AaHZiEt dTMtMlia0Lmg/jgHfCNZd+W+PXf6W3J5fOGQ1nc/6zKsejehKSue9TLOhN8AYRsvkjfngQBbDZxt jim+AmKM5CdELBpgzDkBvlIN1pUDU5DU5DggD98cjIN3reG9z0FKKQ5m2Qpw7sOVVcM1Xk+Tdz6g /UMvfWqyN3veeFIMJz/vumcqAwMU9kjfE7EFo+kP5riIEUmSGpuJN1OVhw4edWBUa0IbcFe+ssGU oJVGON09uNDgeVbMyi0mGLrHItOnwZ8MT6vdNDdc1bvmRwzQjtHTEndCPd0rEuGjFyZoidhtHm+W oYBE/7drH0Ji1exykwyaAEUrXvaL8Tmw6BtoK0GJIjHVWChLcyQhJLJ1LoQDspKgdub6J8+zbIhd VpLuPUKkPixswL8rqSXNtEyPOtcf9IN9aIfVaCHpEB6cFH6WJxE4ZobEKFHo967ILVtyxTwo6rrF t9vnQmCZ43nJMY6ejQvoKR/rm5kSrULK1dEbAWG9DdsAtxpLrx2sBi3aTxN1Q/y4v7kO1bsUyhpJ w318KIzzxMwwlmJT37b8CHOVqIzTPPdjzQ6YC7Heg3Xf7O1TOd6ozY9EI0uu1S+kSr07km/Sj5hw pdRULXVcTXoJDAlma7J+zRyh6BTAqfW6N10c9s+PED0yUZaxj942tenhqxUzbwN0BCkzBb1FgeZJ e7aTisLmQ6ZQ2041nx39irrbbipsYzB6zs3Ie5gF1CN3Vi14ghJLrV0CVA88cZqy9CFljIyVFZWS 9Zr2cAV73M6tvI7MveoXnvurY8ry6g3qzXHGWyz6fZ9+dDG3ponuSVlpvyzVdc+6EVB3f+IZ3qip 4P0SHZXVri62Ju96wihQd5obkmtmtTjscOpgWIleRR7SxTEvuGslKTrRIXcXpFg5ivY=
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/pearg/NOgYz1SEGg0dE6LBmXUzGbEXpGQ>
Subject: [Pearg] Website fingerprinting with QUIC
X-BeenThere: pearg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <pearg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/pearg>, <mailto:pearg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pearg/>
List-Post: <mailto:pearg@irtf.org>
List-Help: <mailto:pearg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/pearg>, <mailto:pearg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 20:52:12 -0000

I just saw this paper: Website Fingerprinting on Early QUIC Traffic, 
https://arxiv.org/abs/2101.11871 
<https://urldefense.com/v3/__https:/arxiv.org/abs/2101.11871__;!!Emaut56SYw!kXz4ZIkt-vgb-C_c-7Zccfeyn0EVJivN7iQUAvXg6BorOv_W2qbbDVXLDsB0DoW-tw$>.

The authors describe how they trains models to recognize web sites from 
observations of traffic pattern, using features like packet observed in 
both directions of traffic and classification of packets as 
short/medium/full length. They claim that such fingerprinting is easier 
when the transport is using QUIC than when it is using HTTPS. There are 
some limitations in this paper. They test against an early version of 
Google QUIC, not the latest IETF version. They use only the Chrome 
client, thus have to consider just one rendering sequence. They force 
the clients to clear their caches and thus download the full sites, 
which makes identification easier. And they use somewhat charged 
language, like "the insecurity characteristic of QUIC", when they merely 
demonstrated vulnerability to traffic fingerprinting. But then, yes, the 
results are interesting.

When I see papers like that, I am always of two minds. On one hand, I 
know that some features of the QUIC transport like PING or PAD frames 
make it easy to pad packet sizes and to inject traffic that does not 
interfere with the application, and that proper use of such padding and 
injection might disturb the finger printing models used by censors. On 
the other hand, I am aware of the tit-for-tat competition that will 
ensue, with better obfuscation driving development of more efficient 
finger printing models. Still, I wonder whether someone is working on 
that today: train fingerprinting models using techniques similar to 
those in the paper, and then compare how different models of padding and 
packet injection disturb this fingerprinting.

-- Christian Huitema