Upturn - What ISPs Can See v.1.0
publicité
What IP Can ee
Clarifing the technical landcape of the roadand
privac deate
March 2016
Verion 1.0
© 2016 Upturn.
Licened under a Creative Common Attriution 4.0 International Licene.
Tale of Content
1 Introduction
2 Four Ke Technical Clarification
1. Trul pervaive encrption on the Internet i till a long wa off.
2. ven with HTTP, IP can till ee the domain that their ucrier viit.
3. ncrpted Internet traffic itelf can e urpriingl revealing.
4. VPN are poorl adopted, and can provide incomplete protection.
3 Concluion
4 Aout Thi Report
Aout the Author
Introduction
In 2015, the Federal Communication Commiion (FCC) reclaified roadand
Internet ervice provider (IP) a common carrier under Title II of the
Communication Act. 1 Thi hift triggered a tatutor mandate for the FCC to
protect the privac of roadand Internet ucrier’ information. 2 The FCC i now
conidering how to craft new rule to clarif the privac oligation of roadand
provider. 3
Lat week, the Intitute for Information ecurit & Privac at Georgia Tech releaed a
working paper whoe enior author i Profeor Peter wire, entitled “Online Privac
and IP.” 4 The paper decrie itelf a a “factual and decriptive foundation” for the
FCC a the Commiion conider how to approach roadand privac. 5 The paper
ugget that certain technical factor limit IP’ viiilit into their ucrier’
online activitie. It alo highlight the data collection practice of other (non-IP)
plaer in the Internet ecotem. 6
We elieve that the wire paper, although technicall accurate in mot of it
particular, could leave reader with ome mitaken impreion aout what
roadand IP can ee. We offer thi report a a complement to the wire paper, and
an alternative, technicall expert aement of the preent and potential future
monitoring capailitie availale to IP.
We oerve that:
1. Trul pervaive encrption on the Internet i till a long wa off. The fraction of
total Internet traffic that’ encrpted i a poor prox for the privac interet of a
tpical uer. Man ite till don’t encrpt: for example, in each of three ke
categorie that we examined (health, new, and hopping), more than 85% of the top
50 ite till fail to encrpt rowing default. Thi long tail of unencrpted we
traffic allow IP to ee when their uer reearch medical condition, eek advice
aout det, or hop for an of a wide gamut of conumer product.
2. ven with HTTP, IP can till ee the domain that their ucrier viit. Thi
tpe of metadata can e ver revealing, epeciall over time. And IP are alread
known to look at thi data — for example, ome IP analze DN quer information
for jutified network management purpoe, including identifing which of their uer
are acceing domain name indicative of malware infection.
3. ncrpted Internet traffic itelf can e urpriingl revealing. In recent ear,
computer cience reearcher have demontrated that network operator can learn a
urpriing amount aout the content of encrpted traffic without reaking or
1
weakening encrption. examining the feature of network traffic — like the ize,
timing and detination of the encrpted packet — it i poile to uniquel identif
certain we page viit or otherwie otain information aout what the traffic
contain.
4. VPN are poorl adopted, and can provide incomplete protection. VPN have
een commerciall availale for ear, ut the are ued parel in the United tate,
for a range of reaon we decrie elow.
We agree that pulic polic need to e uilt on an accurate technical foundation, and
we elieve that thoughtful policie, epeciall thoe related to Internet technologie,
hould e reaonal rout to foreeeale technical development.
We intend for thi report to ait policmaker, advocate, and the general pulic a
the conider the technical capailitie of roadand IP, and the roader technical
context within which thi polic deate i happening. Thi paper doe not, however,
take a poition on an quetion of pulic polic.
2
Four Ke Technical Clarification
1. Trul pervaive encrption on the Internet i till a long wa off.
Toda, a ignificant portion of Internet activit remain unencrpted. When a we ite
ue the unencrpted Hpertext Tranfer Protocol (HTTP), an IP can ee the full
Uniform Reource Locator (URL) and the content for an we page requeted the
uer. Although man popular, high-traffic we ite have adopted encrption
default, 7 a “long tail” of we ite have not.
The fraction of total traffic that i encrpted on the Internet i a poor guide to the
privac interet of a tpical uer. The wire paper argue that “the norm ha ecome
that deep link and content are encrpted on the Internet,” aing it claim on the
true oervation that “an etimated 70 percent of traffic will e encrpted the end
of 2016.” 8 However, thi numer include traffic from ite like Netflix, which itelf
account for aout 35% of all downtream Internet traffic in North America. 9
enitivit doen’t depend on volume. For intance, watching the full Ultra HD
tream of The Amazing pider-Man could generate more than 40G of traffic, while
retrieving the WeMD page for “pancreatic cancer” generate le than 2M. The
page i 20,000 time le data volume, ut likel far more enitive than the movie.
(WeMD ha et to offer uer the option of ecure HTTP connection, much le to
make that option the ole or default choice.)
We conducted a rief urve of the 50 mot popular we ite in the each of three
categorie — health, new and hopping — a ranked Alexa. 10
The Long Tail of Unencrpted We Traffic
Alexa Top 50 ite, Categor
Categor
Percent of ite
that Do Not ncrpt
rowing Default
xample URL for Unencrpted We ite
http://wemd.com/hiv-aid/guide/…
http://maoclinic.org/…cancer…
Health
86%
http://medicinenet.org/…eczema…
http://health.com/exual-health
http://who.int/…childhood-hearing-lo…
3
http://ntime.com/…tax-tip…
http://huffingtonpot.com/divorce
New
90%
http://video.foxnew.com/…ex-after-50…
http://time.com/…ga-right…
http://ankrate.com/det-management…
http://ikea.com/…athroom…
http://target.com/…tud-ile…
hopping
86%
http://mac.com/…maternit-clothe…
http://edathandeond.com/…acne-wah…
http://toru.com/…Toddler-To…
We found that the vat majorit of thee we ite — more than 85% of ite in each
of the three area — till do not full upport encrpted rowing default. 11 Thee
ite included reference on a full range of medical condition, advice aout det
management, and product liting for hundred of million of conumer product. For
thee unencrpted page, IP can ee oth the full we ite URL and the pecific
content on each we page. Man ite are mall in data volume, ut high in privac
enitivit. The can paint a revealing picture of the uer’ online and offline life, even
within a hort period of time.
ite truggle to adopt encrption. From the perpective of one of thee
unencrpted we ite, it can e ver challenging to migrate to HTTP, epeciall
when the ite relie on a wide range of third-part partner for ervice including
advertiing, analtic, tracking, or emedded video. In order for a ite to migrate to
HTTP without triggering warning in it uer’ rower, each one of the third-part
partner that ite ue on it page mut upport HTTP. 12
4
Ad tracker HTTP upport rate on the Alexa top 100 new ite (via Citizenla)
Getting third-part partner to upport HTTP i a eriou hurdle, even for ite that
want to make the witch. 13 For example, in a 2015 urve of 2,156 online advertiing
ervice, more than 85% did not upport HTTP. 14 Moreover, a of earl 2015, onl
38% of the 123 ervice in the Digital Advertiing Alliance’ own dataae upported
HTTP. 15 In the figure aove, decriing the top 100 new ite, each unit of red or
urgund indicate a third-part partner that doe not upport HTTP. In order for
an one of thee new ite to provide it content to uer ecurel (without creating
warning or error meage) the puliher mut either wait for all of it red and
urgund partner to turn green, or ele aandon thoe partner on an ecure part
of it ite. The online advertiing indutr i working to improve it ecurit poture, 16
ut clearl there remain a long road ahead.
Internet of Thing device often tranmit data without encrption. It’ not onl we
ite that fail to encrpt traffic tranmitted over roadand connection. Man
Internet of Thing (IoT) device, uch a mart thermotat, home voice integration
tem, and other appliance, fail to encrpt at leat ome of the traffic that the
end and receive. 17 For example, reearcher at the Center for Information
Technolog Polic at Princeton recentl found a range of popular device — from the
Net thermotat to the Ui voice tem, to the Pixtar photo frame — tranmitting
unencrpted data acro the network. 18 “Invetigating the traffic to and from thee
device turned out to e much eaier than expected,” oerved Profeor Nick
19
5
Feamter. 19
A more uer adopt moile device, the communicate with a greater numer of
IP. Ue of moile device i growing rapidl a a portion of uer’ overall Internet
activit. The wire paper oerve that toda’ IP face a more “fractured world” in
which the have a “le comprehenive view of a uer’ Internet activit.” 20 It i true
that toda, man conumer’ peronal Internet activitie are pread out over everal
connection: a home provider, a workplace provider, and a moile provider. However,
a uer often ha repeated, ongoing, long-term interaction with oth her moile and
her wireline provider. Over time, each IP can ee a utantial amount of that uer’
Internet traffic. There’ plent of activit to go around: The amount of time U..
conumer pend on connected device ha increaed ever ear ince 2008. 21
2. ven with HTTP, IP can till ee the domain that their
ucrier viit.
The increaed ue of encrption on the We i a utantial privac improvement for
uer. When a we ite doe ue HTTP, an IP cannot ee URL and content in
unencrpted form. However, IP can till almot alwa ee the domain name that
their ucrier viit.
DN querie are almot never encrpted. 22 IP can ee the viited domain for each
ucrier monitoring requet to the Domain Name tem (DN). DN i a pulic
director that tranlate a domain name (like Ŝ ) into a
correponding IP addree (like ɨɮɨŜɨɭɨŜɨɫɯŜɨɬɥ). efore the uer viit
Ŝ for the firt time, the uer’ computer mut firt learn the ite’
IP addre, o the computer automaticall end a ackground DN quer aout
Ŝ .
ven if connection to Ŝ are encrpted, DN querie aout
Ŝ are not. In fact, DN querie are almot never encrpted. IP
could impl monitor what querie it uer are making over the network.
Collection and ue of DN querie IP i practical, i cot effective, and
happen toda on IP network. ecaue the uer’ computer i aigned default
to ue the IP’ DN erver, the IP i generall capale of retaining and analzing
record of the querie, which the uer themelve end to the IP in the normal
coure of their rowing. The wire paper aert that it “appear to e impractical
and cot-prohiitive” to collect and ue DN querie, ut cite no technical or other
authorit for that aement. 23 Our technical experience indicate that logging i
oth feaile and relativel cheap to do: Modern networking equipment can eail log
thee requet for later anali. Moreover, even if the uer’ computer i peciall
configured to ue an external DN erver (not operated the uer’ IP), the DN
querie mut till reach that external erver unencrpted, and thoe querie mut till
travel over the IP’ network, creating the opportunit to inpect them.
In fact, IP alread do monitor uer DN querie for valid network management
purpoe, including to detect potential infection of maliciou oftware on uer
device. 24 Certain domain name are ued olel maliciou oftware tool, and real
uer traffic can e analzed to identif and lock uch domain. 25 Moreover, when an
individual uer viit a compromied domain, thi i a trong ign that one or more of
6
that uer’ device i infected, and commerciall availale tool allow IP to notif
the uer aout the potential infection. 26 According to literature from a network
equipment vendor, Comcat currentl deplo thi ecurit-focued, per-ucrier
DN monitoring functionalit on it network. 27
Reearcher in 2011 alo found that everal mall IP were alread leveraging their
role a DN provider to not onl monitor, ut activel interfere with, DN reolution
for their uer. 28 To e clear, we are not aware of an evidence that large IP have
et egun to ue DN querie in privac-invaive wa, much le to interfere with
ucrier’ querie along the line detected in 2011. We oerve here onl that it i
technologicall feaile toda for IP oth to monitor and to interfere with DN
querie.
Although network ecurit i not utantiall impacted a modet to moderate
amount of VPN uage, there are meaningful engineering downide to a future in
which mot or all DN querie are crptographicall concealed from the end uer’
IP. (uch a future could, for example, make it more difficult for IP to provide earl
and detection and wift repone for ome kind of malware attack.) At the ame
time, a long a the uer’ DN querie are viile to the IP for network management
purpoe, the IP will alo have a technologicall feaile option to analze thoe
querie in wa that would compromie uer privac.
ven a hort erie of viited domain from one ucrier can e enitive. A
pivotal moment in a uer’ life, for example, could generate the following log at the
uer’ IP (auming the uer han’t inveted in pecial privac tool):
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɫśɫɫƄ Ŝ
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɪɬśɩɪƄŜ
ƃɩɥɨɬŵɥɪŵɥɰɨɯśɫɩśɩɰƄ Ŝ
ƃɩɥɨɬŵɥɪŵɥɰɨɰśɥɩśɨɩƄŜŜ
Over a longer period of time, metadata can paint a revealing picture aout a
ucrier’ hait and interet. A other polic dicuion have made clear in
recent ear, metadata i ver revealing over time. 29 For example, in the context of
telephon metadata, the Preident’ Review Group on Intelligence and
Communication Technologie found that “the record of ever telephone call an
individual make or receive over the coure of everal ear can reveal an enormou
amount aout that individual’ private life.” 30 The Group went on to note that “[i]n a
world of ever more complex technolog, it i increaingl unclear whether the
ditinction etween ‘meta-data’ and other information carrie much weight.” 31
Thi reaoning applie with equal trength to domain name, which we elieve are
likel to e even more revealing than telephone record. uch a lit of domain could
alo indicate the preence of variou “mart” device in the ucrier’ home, aed
on the known domain that thee device automaticall connect to. 32
3. ncrpted Internet traffic itelf can e urpriingl revealing.
ncrption top IP from impl reading content and URL information directl off
the wire. However, it i important to undertand that encrption till leave open a
wide variet of other, le direct method for IP to monitor their uer if the
7
choe.
A growing od of computer cience reearch demontrate that a network operator
can learn a urpriing amount aout the content of encrpted traffic without
reaking or weakening encrption. examining the feature of the traffic — like the
ize, timing and detination of the encrpted packet — it i poile to uniquel
identif certain we page viit or otherwie reveal information aout what thoe
packet likel contain. In the technical literature, inference reached in thi wa are
called “ide channel” information.
ome of thee method are alread in ue in the field toda: in countrie that cenor
the Internet, government authoritie are ale to identif and dirupt targeted data
acce aed on it econdar trait even when acce i encrpted. Concerningl,
uch nation often rel on Wetern technolog vendor, whoe advanced product
allow cenor increaingl to analze and act on traffic at “line peed” (that i, in real
time, a the data pae through a network). 33
The ide channel method that we decrie elow are likel not ued (or at leat not
widel ued) IP toda. ut a encrption pread, thee technique might
ecome much more compelling. Policmaker hould have a clear undertanding of
what’ poile for IP to learn, oth now and in the future.
Identifing pecific ite and page. We ite fingerprinting i a well-known
technique that allow an IP to potentiall identif the pecific encrpted we page
that a uer i viiting. 34 Thi technique leverage the fact that different we ite
have different feature: the end differing amount of content, and the load
different third-part reource, from different location, in different order.
examining thee feature, it’ often poile to uniquel identif the pecific we
page that the uer i acceing, depite the ue of trong encrption when the we
ite i in tranit.
Reearcher have pulihed numerou tudie on the topic of we ite fingerprinting.
In one earl tud uing a relativel aic technique, reearcher found that
approximatel 60% of the we page the tudied were uniquel identifiale aed on
uch unconcealed feature. 35 Later tudie have introduced more advanced
technique, a well a poile countermeaure. ut even with variou defene in
place, reearcher were till ale to ditinguih preciel which out of a hundred
different ite a uer wa viiting, more than 50% of the time. 36
Thi od of reearch illutrate that decrpting a communication in’t necearil
the onl wa to “ee” it. The wire paper aert that “[w]ith encrpted content, IP
cannot ee detailed URL and content even if the tr.” 37 To e full accurate,
however, that claim require qualification: IP generall cannot decrpt detailed
URL and content. ut, thi cla of reearch demontrate that with ome amount of
effort, it would indeed e feaile for IP to learn detailed URL (and through thoe
URL, in ome intance, the actual content of we page) in a range of real-world
ituation.
8
The autocomplete feature on Google’ earch engine.
Deriving earch querie. Popular earch engine — like Google, Yahoo and ing —
provide a uer-friendl feature called auto-ugget: after the uer enter each
character, the earch engine ugget a lit of popular earch querie that match the
current prefix, in an attempt to gue what the uer i earching for. analzing the
ditinctive ize of thee encrpted uggetion lit that are tranmitted after each
ke pre, reearcher were ale to deduce the individual character that the uer
tped into the earch ox, which together reveal the uer’ entire earch quer. 38
Inferring other “hidden” content. Reearcher have applied imilar method to infer
the medical condition of uer of a peronal health we ite, and the annual famil
income and invetment choice of uer of a leading financial we ite — even though
oth of thoe ite are onl reachale via encrpted, HTTP connection. 39 (Again,
the reearcher otained thee reult without decrpting the encrpted traffic.)
Other reearcher of ide-channel method have een ale to recontruct portion of
encrpted VoIP converation, 40 and uer action from within encrpted Android
app. 41
uch example have led reearcher to conclude that ide-channel information leak
on the we are “a realitic and eriou threat to uer privac.” 42 Thee tpe of leak
are often difficult or expenive to prevent. There ha een ignificant computer
cience reearch into practical defene to defeat thee ide-channel method. ut
a one group of reearcher concluded, “in the context of weite identification, it i
unlikel that andwidth-efficient, general-purpoe [traffic anali] countermeaure
can ever provide the tpe of ecurit targeted in prior work.” 43
Thee method are in the la toda — not et in the field, a far a we know. ut the
path from computer cience reearch to widepread deploment of a new technolog
can e hort.
4. VPN are poorl adopted, and can provide incomplete protection.
One wa that ucrier can protect their Internet traffic in tranit i to ue a virtual
private network (VPN). VPN are often found in uine etting, enaling emploee
who are awa from the office to connect ecurel over the Internet to their
compan’ internal network (often with etup help from the emploer’ IT
department). When uing a VPN, the uer’ computer etalihe an encrpted tunnel
to the VPN erver (a, the one operated the emploee’ compan) and then,
depending on the VPN configuration, end ome or all of the uer’ Internet traffic
through the encrpted tunnel.
The wire paper preent VPN (and other encrpted prox ervice) a an up-andcoming ource of protection for ucrier. 44 However, there are reaon to
quetion whether VPN will in fact have a ignificant impact on peronal Internet ue
9
in the United tate.
U.. ucrier rarel make peronal ue of VPN. VPN have een commerciall
availale for ear, ut the are ued parel in the United tate. According to a
2014 urve cited the wire paper, onl 16% of North American uer have ued a
VPN (or a prox ervice) to connect to the Internet. 45 Thi figure decrie the
percent of uer who have ever ued a VPN or a prox efore — not thoe who ue
uch ervice on a conitent or dail ai, which i what protection from peritent
IP monitoring would actuall require. Moreover, man of the 16% of uer who have
ued a VPN are likel uine uer, rather than peronal uer looking to protect
their privac. It i fair to conclude that onl a ver mall numer of U.. uer actuall
ue a VPN or prox ervice on a conitent ai for peronal privac purpoe.
Moreover, everal adoption hurdle are likel to deter unophiticated uer. Reliale
VPN can e cotl, requiring an additional paid monthl ucription on top of the
uer’ Internet ervice. The alo low down the uer’ Internet peed, ince the
route traffic through an intermediate erver. (There are free VPN ervice availale,
ut ucrier generall get what the pa for. 46 )
Relative to other countrie, the rate of VPN ue in the U.. i among the lowet in the
world. 47 VPN ue i much more pronounced in other countrie like Indoneia, Thailand
and China, where Internet uer turn to VPN a wa to circumvent online cenorhip,
and to activel gain acce to retricted content. 48
VPN are not a privac ilver ullet. The ue of VPN and encrpted proxie merel
hift uer trut from one intermediar (the IP) to another (the VPN or prox
operator). In order to more thoroughl protect their traffic from their IP, a
ucrier mut entrut that ame traffic to another network operator.
Furthermore, VPN ma not protect uer a well a the wire paper might lead
reader to elieve. The paper tate that “Where VPN are in place, the IP are
locked from eeing . . . the domain name the uer viit.” 49 ut thi i not alwa
true: whether IP can ee the domain name that uer viit depend entirel on the
uer’ VPN configuration — and it would e quite difficult for non-expert to tell
whether their configuration i properl tunneling their DN querie, let alone to know
that thi i a quetion that need to e aked. Thi i particularl common for
Window uer. 50
10
Concluion
Toda, IP can ee a ignificant amount of their ucrier’ Internet activit, and
have the ailit to infer utantial amount of enitive information from it. Thi i
epeciall true when that traffic i unencrpted. However, even when Internet traffic
i encrpted uing HTTP, IP generall retain viiilit into their ucrier’ DN
querie. Detailed anali of DN quer information on a per-ucrier ai i not
onl technicall feaile and cot-effective, ut actuall take place in the field toda.
Moreover, IP and the vendor that erve them have clear opportunitie to develop
method of inferring important information even from encrpted data flow. VPN are
one tool that ucrier can ue to protect their online activitie, ut VPN are
poorl adopted, can e difficult to ue, and often provide incomplete protection.
We hope that thi report will contriute to a more complete undertanding of the
technical capailitie of roadand IP, and the roader technical context within
which the roadand privac deate i happening.
11
Aout Thi Report
Thi report i deigned to provide technical grounding for policmaker and other
intereted partie, regarding the extent of IP viiilit into the activitie of their
ucrier.
The report aim to provide technical information onl, and i not intended to take a
poition on an matter of pulic polic.
Reader who identif an factual error in thi report, or who have other feedack
regarding it content, are warml invited to contact u at hello@teamupturn.com.
Thi report wa upported the Media Democrac Fund.
Aout the Author
Aaron Rieke i a Principal at Upturn. Previoul, he erved a an attorne in the
Federal Trade Commiion’ Diviion of Privac and Identit Protection and a a Ron
Pleer Fellow at the Center for Democrac & Technolog. He earned hi J.D. at
erkele Law.
David Roinon i a Principal at Upturn, with a hrid ackground in law and
technolog polic. David hold a J.D. from Yale Law chool, and previoul erved a
the inaugural Aociate Director of Princeton Univerit’ Center for Information
Technolog Polic.
Harlan Yu i a Principal at Upturn. He hold a Ph.D. in computer cience from
Princeton Univerit and ha extenive hand-on experience working on technolog
polic iue. He received hi .. in electrical engineering and computer cience
from UC erkele.
12
ndnote
1
Federal Communication Commiion, Protecting and Promoting the Open
Internet, No. 14-28, 30 FCC Rcd. 5601, 2015 WL 1120110 (FCC Fe. 26, 2015)
(reclaifing roadand Internet ervice provider a common carrier under Title II
of the Communication Act).
2
ee generall 47 U..C. § 222 (concerning the privac of cutomer information in
the context of telecommunication ervice). ee alo H.R. Rep. No. 104- 458, at 204
(1996) (Conf. Rep.).
3
ee generall Federal Communication Commiion, “Pulic Workhop on
roadand Conumer Privac” (Apr. 2015), http://www.fcc.gov/newevent/event/2015/04/pulic-workhop-on-roadand-conumer-privac.
4
Peter wire et al., “Online Privac and IP: IP Acce to Conumer Data i
Limited and Often Le than Acce Other” (Fe. 29, 2016),
http://www.iip.gatech.edu/ite/default/file/image/online_privac_and_ip.pdf
(hereinafter “wire paper”). Throughout thi report, we refer to the Feruar 29, 2016
verion of the wire paper, which ma change in the future.
5
wire paper, at 6.
6
ee generall wire paper, at 6-14.
7
wire paper, at 36-37.
8
wire paper, at 3.
9
andvine, “Gloal Internet Phenomena potlight: ncrpted Internet Traffic” at 4
(2015), http://www.andvine.com/download/general/gloal-internetphenomena/2015/encrpted-internet-traffic.pdf (hereinafter “andvine 2015
report”).
10
Alexa, Top ite Categor, http://www.alexa.com/topite/categor (lat
viited March 5, 2016).
11
To compile the figure in the tale aove, we viited each ite lited in Alexa’
“Top ite Categor” liting for the categorie of Health, New, and hopping
uing the Google Chrome we rower on March 5, 2016. We counted a we ite a
having “ncrpted rowing naled Default” if the ite ued an HTTP connection
after clicking through the we ite (e.g., looking up a particular medical condition,
reading new torie, or rowing product liting). Man hopping we ite,
including Amazon.com, witch to HTTP onl after a uer initiate a checkout proce
or acce a private account page. However, ecaue uch we ite till tranmitted
lot of “hopping” ehavior over HTTP connection, we did not claif them a
“ncrpted rowing naled Default.”
12
itan Koningurg, Rajiv Pant & lena Kvochko, “mracing HTTP,” N.Y. Time
13
- OPN log (Nov. 13, 2015),
http://open.log.ntime.com/2014/11/13/emracing-http. (“To uccefull
move to HTTP, all requet to page aet need to e made over a ecure channel.
It’ a daunting challenge, and there are a lot of moving part. We have to conider
reource that are currentl eing loaded from inecure domain — everthing from
Javacript to advertiement aet.”) (hereinafter “mracing HTTP”).
13
mracing HTTP (“Conidering the importance of advertiement, thi i ver
likel to e a ignificant hurdle to man media organization’ implementation of
HTTP.”).
14
Andrew Hilt, "ome impreion on Internet advertier ecurit," The Citizen
La (Mar. 30, 2015), http://citizenla.org/2015/03/ome-impreion-on-internetadvertier-ecurit.
15
Id.
16
rendan Riordan-utterworth, “Adopting ncrption: The Need for HTTP,”
IA (Mar. 25, 2015), http://www.ia.com/adopting-encrption-the-need-for-http.
17
Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker
(Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing.
18
Id.
19
Id.
20
wire paper, at 24.
21
Danl oomworth, "Moile Marketing tatitic compilation," mart Inight
(Jul. 22, 2015), http://www.martinight.com/moile-marketing/moile-marketinganaltic/moile-marketing-tatitic.
22
. ortzmeer, DN Privac Conideration, Internet ngineering Tak Force,
Augut 2015, http://tool.ietf.org/html/rfc7626 ("Almot all thi DN traffic i
currentl ent in clear (unencrpted)."). In addition, aide from DN, an encrpted
connection ometime expoe it own domain name deign, in the header of the
encrpted packet. Thi i called erver Name Indication (NI). We won’t get into the
technical weed here aout NI, ut uffice it to a that there are multiple wa for
IP to collect thi information.
23
wire paper, at 15 (claiming that “it appear to e impractical and cotprohiitive” for IP to collect and ue DN lookup data).
24
ee, e.g., Xerocole Partner with Damalla for otnet Detection on Carrier
Network, Pre Releae (Aug. 6, 2012),
http://www.reuter.com/article/idU129911+06-Aug-2012+W20120806 (explaining
that “Damalla CP protect ome of the larget cale and wirele IP network in
the world. monitoring DN activit to detect infected ucrier, Damalla CP i a
‘light weight,’ highl calale and powerful olution for identifing network aue and
infected ucrier.”) (emphai added.)
25
ee, e.g., Mano Antonakaki, Roerto Perdici, David Dagon, Wenke Lee & Nick
Feamter, “uilding a Dnamic Reputation tem for DN,” 19th UNIX ecurit
mpoium, Wahington D.C. (Aug. 11, 2010), availale at
http://www.uenix.org/legac/event/ec10/tech/full_paper/Antonakaki.pdf
(decriing a ecurit tem that “ue paive DN quer data[,] uild model of
known legitimate domain and maliciou domain, and ue thee model to compute
a reputation core for a new domain indicative of whether the domain i maliciou or
14
legitimate,” noting that the author “have evaluated [the tem] in a large IP’
network with DN traffic from 1.4 million uer,” and oerving that the tem “can
identif maliciou domain with high accurac (true poitive rate of 96.8%) and low
fale poitive rate (0.38%), and can identif thee domain week or even month
efore the appear in pulic lacklit.”).
26
ee, e.g., Damalla CP: Advanced Threat Protection for Communication
ervice Provider (product rochure), availale at http://www.damalla.com/wpcontent/upload/2014/08/Damalla-CP.pdf (explaining that the compan’ tem
“monitor DN traffic [of] million of ucrier” with “[z]ero impact to network
performance,” “[a]utomaticall detect compromied ucrier IP addree,”
“[c]apture maliciou querie and correlate finding to generate infection report,”
and “[e]nale ucrier notification” o that ucrier can diinfect their
machine).
27
Id. (quoting an unnamed Comcat executive a aing that “Comcat i uing
otnet detection ervice from Damalla to recognize the command-and-control
erver and will notif cutomer whoe computer are found to e communicating
with thoe erver.”).
28
Chao Zhang et al., “Inflight Modification of Content: Who Are the Culprit?,”
LT (2011),
http://www.uenix.org/legac/event/leet11/tech/full_paper/Zhang.pdf. ee alo
Nate Anderon, “mall IP ue 'maliciou' DN erver to watch We earche, earn
cah,” Ar Technica (Aug. 5, 2011), http://artechnica.com/techpolic/new/2011/08/mall-ip-turn-to-maliciou-dn-erver-to-make-extracah.ar.
29
ee generall The Preident’ Review Group on Intelligence and
Communication Technologie, “Liert and ecurit in a Changing World” (Dec. 12,
2014), availale at http://www.whitehoue.gov/ite/default/file/doc/2013-1212_rg_final_report.pdf (hereinafter “Preident’ Intelligence Review”); ee alo
Tetimon of dward W. Felten, “enate Hearing on Continued Overight of the
Foreign Intelligence urveillance Act” (Oct. 2, 2013) at 8, availale at
http://www.c.princeton.edu/~felten/tetimon-2013-10-02.pdf (“Although thi
metadata might, on firt impreion, eem to e little more than “information
concerning the numer dialed,” anali of telephon metadata often reveal
information that could traditionall onl e otained examining the content of
communication. That i, metadata i often a prox for content.”); ee alo Jonathan
Maer, “MetaPhone: The enitivit of Telephone Metadata” (Mar. 12, 2014),
http://wepolic.org/2014/03/12/metaphone-the-enitivit-of-telephonemetadata.
30
Preident’ Intelligence Review, at 116-117.
31
Preident’ Intelligence Review, at 120-121.
32
Nick Feamter, "Who Will ecure the Internet of Thing?," Freedom to Tinker
(Jan. 29, 2016), http://freedom-to-tinker.com/log/feamter/who-will-ecure-theinternet-of-thing.
33
ee e.g., Citizenla, “ehind lue Coat: Invetigation of commercial filtering in
ria and urma” (Nov. 9, 2011), http://citizenla.org/2011/11/ehind-lue-coat.
34
ee e.g., huo Chen, Rui Wang, XiaoFeng Wang & Kehuan Zhang, “ide-Channel
Leak in We Application: a Realit Toda, a Challenge Tomorrow,” at 3 (2010),
availale at http://reearch.microoft.com/pu/119060/WeAppideChannel-
15
final.pdf (hereinafter “We ide Channel”).
35
ee Qixiang un, Daniel R. imon, Yi-Min Wang, Wilf Ruell, Venkata N.
Padmanahan & Lili Qiu, “tatitical Identification of ncrpted We rowing Traffic”
(2002), availale at http://reearch.microoft.com/app/pu/default.apx?id=69918.
36
ee Xiang Cai, Xin Cheng Zhang, rijeh Johi & Ro Johnon, “Touching from a
Ditance: Weite Fingerprinting Attack and Defene” (2012), availale at
http://www3.c.tonrook.edu/~xcai/fp.pdf.
37
wire paper, at 23.
38
We ide Channel, at 6. (“Interetingl, the auto-uggetion in fact caue a
catatrophic leak of uer input, ecaue the attacker can effectivel diamiguate the
uer’ actual input after ever ketroke matching the ize of the repone
carring the uggetion lit.”). The wire paper aert that “[w]hen the earch i
performed over an HTTP connection, a ha ecome the norm, the IP can onl ee
which earch engine wa ued . . . ut not the earch quer . . . .” However, while it i
true that IP can no longer directl oerve the earch quer in plaintext on the wire,
that i not the IP’ onl option. An IP that mimic the technique demontrated
thee reearcher might till learn the earch querie that uer entered.
39
ee We ide Channel.
40
ee Andrew M. White, Autin R. Matthew, Kevin Z. now & Faian Monroe,
“Phonotactic Recontruction of ncrpted VoIP Converation: Hookt on fon-ik,” in
Proceeding of the I mpoium on ecurit and Privac, at 3-18 (Ma 2011),
availale at http://www.c.unc.edu/~faian/paper/fonik-oak11.pdf.
41
ee Mauro Conti, Luigi V. Mancini, Riccardo polaor & Nino V. Verde, “Can’t You
Hear Me Knocking: Identification of Uer action on Android App via Traffic Anali”
(Jul. 2014), availale at http://arxiv.org/pdf/1407.7844.pdf.
42
We ide Channel, at 1.
43
Kevin P. Der, cott . Coull, Thoma Ritenpart & Thoma hrimpton, “Peeka-oo, I till ee You: Wh fficient Traffic Anali Countermeaure Fail,” at 1
(2012), availale at http://ieeexplore.ieee.org/tamp/tamp.jp?
tp=&arnumer=6234422.
44
wire paper, at 34 (“At leat 30 million people in the U.. ue a VPN or other
prox ervice . . . Thi numer likel will clim harpl in coming ear.”).
45
Thi tatitic i actuall larger than the fraction of uer that are relevant to thi
dicuion, ince man prox ervice are not encrpted. Jaon Mander, “GWI
Infographic: VPN Uer,” GloalWeIndex (Oct. 24, 2014),
http://www.gloalweindex.net/log/vpn-infographic.
46
William Van Winkle, “The Pro and Con Of Uing A VPN Or Prox ervice,”
Tom’ Hardware (Mar. 28, 2015), http://www.tomhardware.com/review/vpn-vprox-ervice,4087.html (“You do get what ou pa for.”).
47
GloalWeIndex, “The Miing illion,” at 9 (2014),
http://inight.gloalweindex.net/h-f/hu/304927/file-1631708567pdf/GWI_The_Miing_illion_2014.pdf?t=1441899050488 (“It’ aundantl clear
that VPN uage i mot pronounced in fat-growth nation. . . . In contrat, uage i
conideral le common in the mot mature internet market – with the UA,
Canada, France, the UK, Autralia and Japan coming at the ver ottom of the
tale.”); Chri mith, “erioul Dark Traffic: 500 Mil. People Gloall Hide Their IP
Addree,” Digida (Nov. 18, 2013), http://digida.com/puliher/vpn-hide-ip-
16
addre-ditort-analtic (“Fift percent of thee 410 million VPN uer a the jut
want acce to etter entertainment content, according to a GloalWeIndex urve
of 170,000 individual pread acro 32 countrie. Twent-eight percent a the do
o for acce to new and ocial networking ite, and to remain anonmou.”).
48
Id.
49
wire paper, at 31. (“Where VPN are in place, the IP are locked from eeing
the deep link and content (a with other encrption), and alo the domain name the
uer viit.”).
50
Vaile C. Perta, Marco V. arera, Gareth Ton, Hamed Haddadi & Aleandro
Mei, “A Glance through the VPN Looking Gla: IPv6 Leakage and DN Hijacking in
Commercial VPN client”, 1 Proc. Privac nhancing Technologie 84 (2015), availale
at http://petmpoium.org/2015/paper/02_Perta.pdf (“In particular, Window
doe not have the concept of gloal DN etting, rather, each network interface can
pecif it own DN. Due to the wa Window procee a DN reolution, an dela
in a repone from the VPN tunnel ma trigger another DN quer from a different
interface, thu reulting in a leak. . . . Under certain configuration, ome VPN client
do not change the DN etting, leaving the hot’ exiting DN erver a the default.
For intance, we oerved that the dektop verion of HideMA (v1.17) doe not
et a cutom DN when uing OpenVPN.”).
17
