Evaluating practical QUIC website fingerprinting defenses for the masses

Authors: Sandra Siby (Imperial College London), Ludovic Barman (EPFL), Christopher Wood (Cloudflare Inc.), Marwan Fayed (Cloudflare Inc.), Nick Sullivan (Cloudflare Inc.), Carmela Troncoso (EPFL)

Volume: 2023
Issue: 4
Pages: 79–95
DOI: https://doi.org/10.56553/popets-2023-0099

artifact

Download PDF

Abstract: Website fingerprinting (WF) is a well-known threat to users' web privacy. New Internet standards, such as QUIC, include padding to support defenses against WF. Previous work on QUIC WF only analyzes the effectiveness of defenses when users are behind a VPN. Yet, this is not how most users browse the Internet. In this paper, we provide a comprehensive evaluation of QUIC-padding-based defenses against WF when users directly browse the web, i.e., without VPNs, HTTPS proxies, or other tunneling protocols. We confirm previous claims that network-layer padding cannot provide effective protection against powerful adversaries capable of observing all traffic traces. We show that the claims hold even against adversaries with constraints on traffic visibility and processing power. We then show that the current approach to web development, in which the use of third-party resources is the norm, impedes the effective use of padding-based defenses as it requires first and third parties to coordinate in order to thwart traffic analysis. We show that even when coordination is possible, in most cases, protection comes at a high cost.

Keywords: website fingerprinting defenses, QUIC, traffic analysis

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.