ABSTRACT
A recent study showed that the encrypted trac of many popular web applications may actually disclose highly sensitive data, such as health information and family income, and consequently lead to serious breaches of user privacy [1]. By analyzing observable information, such as a sequence of directional packet sizes and timing, an eavesdropper can potentially identify an application’s internal state transitions as well as user inputs. Moreover, such side-channel attacks are shown to be pervasive and fundamental in the age of cloud computing due to their intrinsic characteristics of web applications, including low entropy inputs (caused by autosuggestion features), rich and diverse resource objects (which cause distinctive trac patterns), and stateful communications (which allows adversaries to combine multiple observations).
