Academics argue that Netflix’s recent upgrade to HTTPS is doing little to protect its users from a passive traffic analysis attack.
According to Andrew Reed and Michael Kranch, researchers with the U.S. Military Academy at West Point, it wouldn’t take much work for an attacker to capture traffic and sniff out what a user was watching, even if they were using HTML5 to do so.
For the work, the researchers built a system that can determine which Netflix video is being delivered by a TCP connection solely by using information disseminated from TCP/IP headers.
The two presented their research on the topic, “Identifying HTTPS-Protected Netflix Videos in Real-Time,” (.PDF) at the annual ACM Conference on Data and Application Security and Privacy in Scottsdale, Ariz. late last month. Both researchers work in the Academy’s Department of Electrical Engineering and Computer Science; Kranch is instructor, Reed is an assistant professor.
For the system, the two created a comprehensive database, fingerprinting more than 42,000 videos available on the service and found they could determine which video is which with greater than 99.99 percent accuracy. While a nearly 100 percent success rate is impressive, both Reed and Kranch’s system excels even when information is randomized.
“When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream,” the paper reads.
When it came to processing information, the researchers used adudump, a command line program that can infer the size of data units, and OpenWPM, a framework for carrying out web measurement studies.
The crux of the paper is based around the idea that two technologies used by Netflix to stream video, DASH (Dynamic Adaptive Streaming over HTTP) via Microsoft Silverlight, and VBR (Variable bitrate), leak bits of metadata when a video is transmitted for the first few seconds. That data allowed the researchers enough information to create a fingerprint. The paper builds off research published last year by Reed and Benjamin Klimkowski, another researcher at the U.S. Military Academy. While HTTPS helps prevent deep packet inspection, it can’t combat a passive traffic analysis attack, the two said.
The usage of DASH and VBR is really the Achilles’ heel here, Reed and Kranch say.
Netflix began distancing itself from Silverlight in favor of HTML5 years ago, but any streaming service that runs a combination of VBR and DASH, even HTML5 implementations, could realistically have the same weakness, the researchers say.
Netflix began using HTTPS to encrypt how it transports video content, chiefly to protect user privacy, via its Open Connect infrastructure, early last year. In an academic paper published by Netflix developers last year (.PDF) the company said it expected the majority of its users’ streaming sessions would use TLS encryption by the end of 2016.
“This helps protect member privacy, particularly when the network is insecure,” developers behind the effort said last August, “ensuring that our members are safe from eavesdropping by anyone who might want to record their viewing habits.”
The move prevents spies from being able to analyze HTTP headers and payload data, bits of data that contains information on video content being viewed.
Netflix, for its part, acknowledged Reed and Kranch’s paper on Wednesday and pointed out the issue is a known drawback to processing video streams on any platform via HTTPS.
“Member privacy is critically important to Netflix, which is why we use HTTPS encryption and other security measures to protect our members. The issue identified in the paper is a known limitation of HTTPS when applied to video streams, and is therefore not specific to Netflix,” the company told Threatpost Wednesday.
“No personally identifiable information, such as names or email addresses, are visible or impacted. Netflix will continue to monitor the issue as part of our overall goal to continually improve protections we provide to members.”
The attack would likely be difficult to carry out, in addition to fingerprinting the videos, an attacker would have to have sophisticated networking skills, and ISP or Internet Exchange level network access too.
That said, to fix the issue, Reed and Kranch are encouraging Netflix to look into hardening DASH and VBR further, if possible.
“As streaming video continues to grow, we believe that streaming services and network researchers should work to solve the privacy issues inherent to DASH and VBR encoding,” the two write. One way to do so could be by changing the byte-range portion of the HTTP GETs sent by browsers don’t aline with individual video segment boundaries.
“As an alternative approach, the browser could randomly combine consecutive segments and send HTTP GETs for the combined video data. Designing obfuscation techniques for VBR DASH streams that do not degrade video quality remains a potential area for future research.”