Re: [Pearg] Website fingerprinting with QUIC

Siby Sandra Deepthy <> Mon, 22 February 2021 15:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F3033A08F4 for <>; Mon, 22 Feb 2021 07:19:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id T4UbUY77d_NX for <>; Mon, 22 Feb 2021 07:19:51 -0800 (PST)
Received: from ( [IPv6:2001:620:618:1e0:1:80b2:e034:1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 548AE3A003E for <>; Mon, 22 Feb 2021 07:14:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=epfl; t=1614006845; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; bh=7IWHa2Z6qMXSvwwPXLr4OmcHSuHMYAMsWIA5i4FoxiM=; b=ThODZXFOVFGDumF1pMzIQFVwMGdSJ0byTMgxg+pxbe/AokzIk8NcRaQ1bLkyFD8If UnnE8FadB3WNzuaKf85ef8K+aK6VhYsi44vQc6noXLutLthAMJCB7+uesez7QeVO2 tiWupkwNz1SdYK2dOcS0mNN9mp5J7tz42pStqvSg8=
Received: (qmail 20420 invoked by uid 107); 22 Feb 2021 15:14:05 -0000
Received: from (HELO ( (TLS, AES256-GCM-SHA384 cipher) by (AngelmatoPhylax SMTP proxy) with ESMTPS; Mon, 22 Feb 2021 16:14:05 +0100
X-EPFL-Auth: 6xaYLvGfBXcnBD+uT9fpyot/k/6H8End37CHJic6rr8PmNbZ8Ow=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 22 Feb 2021 16:14:04 +0100
Received: from ([fe80::6411:9a0:b4d9:bb45]) by ([fe80::6411:9a0:b4d9:bb45%2]) with mapi id 15.01.2106.002; Mon, 22 Feb 2021 16:14:04 +0100
From: Siby Sandra Deepthy <>
To: Christian Huitema <>
CC: "" <>
Thread-Topic: [Pearg] Website fingerprinting with QUIC
Thread-Index: AQHW+zel3Oyg/CX4C0epsVuY58PkE6pkYvIf
Date: Mon, 22 Feb 2021 15:14:04 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, fr-CH
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_885f2d73557a4fbeb2803703d9187809epflch_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Pearg] Website fingerprinting with QUIC
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhancements and Assessment Proposed RG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Feb 2021 15:19:57 -0000

Hi Christian,

Some of my colleagues and I are currently working on this problem. If there are others working/interested in this area, we'd be happy to chat!



From: Pearg <> on behalf of Christian Huitema <>
Sent: Thursday, February 4, 2021 9:51:59 PM
Subject: [Pearg] Website fingerprinting with QUIC

I just saw this paper: Website Fingerprinting on Early QUIC Traffic,<;!!Emaut56SYw!kXz4ZIkt-vgb-C_c-7Zccfeyn0EVJivN7iQUAvXg6BorOv_W2qbbDVXLDsB0DoW-tw$>.
The authors describe how they trains models to recognize web sites from observations of traffic pattern, using features like packet observed in both directions of traffic and classification of packets as short/medium/full length. They claim that such fingerprinting is easier when the transport is using QUIC than when it is using HTTPS. There are some limitations in this paper. They test against an early version of Google QUIC, not the latest IETF version. They use only the Chrome client, thus have to consider just one rendering sequence. They force the clients to clear their caches and thus download the full sites, which makes identification easier. And they use somewhat charged language, like "the insecurity characteristic of QUIC", when they merely demonstrated vulnerability to traffic fingerprinting. But then, yes, the results are interesting.
When I see papers like that, I am always of two minds. On one hand, I know that some features of the QUIC transport like PING or PAD frames make it easy to pad packet sizes and to inject traffic that does not interfere with the application, and that proper use of such padding and injection might disturb the finger printing models used by censors. On the other hand, I am aware of the tit-for-tat competition that will ensue, with better obfuscation driving development of more efficient finger printing models. Still, I wonder whether someone is working on that today: train fingerprinting models using techniques similar to those in the paper, and then compare how different models of padding and packet injection disturb this fingerprinting.
-- Christian Huitema