a) all public and explorable via dumps, making it easier for the attacker to experiment and precompute,

I don't think dumps would be useful for precomputation, since the attacker needs to know the exact size of the HTML, not the wikitext. It would be easier to crawl, and that would work against all sites, not just Wikipedia.

b) text, assets, images are split into separate IPs and hence different TLS sessions, which both removes a randomized factor and creates even more unique combinations of traffic patterns.

Transmission of every object is preceded by a request, seen by the attacker as an encrypted flow in the reverse direction. So you can tell the size of every object, even if it is in the same TLS session as other objects. Images are requested in the order they appear on the page.

Say if you pad every object out to the next power of 2, a 25% overhead on average. Then the number of bits you leak is roughly some measure of the variation in base 2 logarithm of size, multiplied by the number of objects. For example, on https://en.wikipedia.org/wiki/Tiananmen_Square_protests_of_1989 , there are 28 images, and the standard deviation of the base 2 logarithm of the sizes of those images is 2.23, so that implies we are leaking about 62 bits of length information about that request, not including HTML size. By that metric, you would have to pad objects out to the next power of 16 to provide reasonable obfuscation.

Padding with a random number of bytes is not much better in terms of information leakage than padding to an exact size class. Unless you added a similar amount of padding (16x), you would be able to determine the article being viewed with high confidence. A feasible algorithm would be to calculate a distance metric between the observed object sizes and the object sizes of each known Wikipedia article. For example, take the object sizes into a 100-dimensional vector, with zeroes representing empty image slots, and find the minimum dot product (x-y).(x-y). It will give the right answer for well-illustrated articles unless the padding is enormous.

So I don't think HTTPS+HTML is the right protocol to provide this sort of privacy guarantee. Maybe it is possible with SPDY.

In the IETF's TLS working group, we're aiming to add a padding mechanism at the TLS layer, so that should give you a place to do the padding that won't be interfered with by gzip (or whatever other HTTP weirdness pops up) at the application layer.

If we can get consensus on that in the next few weeks (which i expect we'll be able to do), i'll try to also write it up as an extension for TLS 1.0 through 1.2.

This provides mechanism, but no explicit policy; we need to think about the policy as well, so i'm glad this discussion is happening.

tstarling wrote:

I don't think dumps would be useful for precomputation, since the attacker needs to know the exact size of the HTML, not the wikitext. It would be easier to crawl, and that would work against all sites, not just Wikipedia.

an attacker doing this kind of work can use the dumps to generate the HTML text offline to get the pagesize to a pretty reasonable degree of accuracy, without tipping their hand that they're doing so by operating a crawler.

So I do think that the fact that dumps are available is relevant to this attack on user privacy.

I agree with tstarling that generic randomized padding is unlikely to be an effective approach on its own, and with faidon that bucket-based padding with random placement might be a useful strategy.

This is a concrete attack. See, for example I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis But the attack is a statistical one. Adding padding may not make all content completely opaque, but it broadens the anonymity set substantially (especially for less-illustrated articles).

(Moved to Security-General, because its publicly visible and not related to MediaWiki core)

Related: https://tom.vg/papers/heist_blackhat2016.pdf

In T92298#2795655, @BBlack wrote:

My current thinking on this is that it's best to wait on TLSv1.3's padding mechanism to be available. It's in the current draft at: https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-5.4

That is now https://tools.ietf.org/html/rfc8446#section-5.4 in the approved RfC.

Do we support TLS 1.3 yet? I'm apparently connecting over 1.2 still.

Note that TLSv1.3 doesn't include anything about bucketing or randomization strategies, it simply provides a mechanism for padding to be injected at the TLS layer, to be controlled by logic that's outside of the TLS spec's scope. At that point we'll probably still need to look at the TLS library and/or server and possibly patch them (currently OpenSSL+nginx, but could change by then).

For openssl, I believe this is possible with https://www.openssl.org/docs/man1.1.1/man3/SSL_set_block_padding.html

In T92298#5329217, @Legoktm wrote:

Do we support TLS 1.3 yet? I'm apparently connecting over 1.2 still.

No -- T170567: Support TLSv1.3

The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all tickets that aren't are neither part of our current planned work nor clearly a recent, higher-priority emergent issue. This is simply one step in a larger task cleanup effort. Further triage of these tickets (and especially, organizing future potential project ideas from them into a new medium) will occur afterwards! For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!

I just want to mention I saw this attack being exampled in a book about web security with Wikipedia explicitly mentioned as a vulnerable case.

it is worth noting that although HTTPS as such is a sound scheme that resists both passive and active attackers, it does very little to hide the evidence of access to a priori public information. It does not mask the rough HTTP request and response sizes, traffic directions, and timing patterns in a typical browsing session, thus making it possible for unsophisticated, passive attackers to figure out, for example, which embarrassing page on Wikipedia is being viewed by the victim over an encrypted channel.

The tangled web. Page 65

(The Tangled Web is a 2012 by Michal Zalewski)

Good find. I don't think he's explicitly trying to call out Wikipedia, just listing it as an example of public resource.

Interestingly, the next phrase provides the study https://www.microsoft.com/en-us/research/publication/side-channel-leaks-in-web-applications-a-reality-today-a-challenge-tomorrow/ where they found actual information leaks in real high-profile websites.

It's probably out of reach to fix this for users with images enabled. It may be possible to bucketize the served html for the articles, though.