Evaluating practical QUIC website fingerprinting defenses for the masses

Sandra Siby, Ludovic Barman, Christopher Wood, Marwan Fayed, Nick Sullivan, Carmela Troncoso

Research output: Contribution to journalArticlepeer-review

Abstract

Abstract: Website fingerprinting (WF) is a well-known threat to users' web privacy. New Internet standards, such as QUIC, include padding to support defenses against WF. Previous work on QUIC WF only analyzes the effectiveness of defenses when users are behind a VPN. Yet, this is not how most users browse the Internet. In this paper, we provide a comprehensive evaluation of QUIC-padding-based defenses against WF when users directly browse the web, i.e., without VPNs, HTTPS proxies, or other tunneling protocols. We confirm previous claims that network-layer padding cannot provide effective protection against powerful adversaries capable of observing all traffic traces. We show that the claims hold even against adversaries with constraints on traffic visibility and processing power. We then show that the current approach to web development, in which the use of third-party resources is the norm, impedes the effective use of padding-based defenses as it requires first and third parties to coordinate in order to thwart traffic analysis. We show that even when coordination is possible, in most cases, protection comes at a high cost.
Original languageEnglish
JournalProceedings on Privacy Enhancing Technologies
DOIs
Publication statusPublished - 2023

Fingerprint

Dive into the research topics of 'Evaluating practical QUIC website fingerprinting defenses for the masses'. Together they form a unique fingerprint.

Cite this