By Dan Goodin in San Francisco
23rd March 2010
Google, Yahoo, Microsoft's Bing, and other leading websites are leaking
medical histories, family income, search queries, and massive amounts of
other sensitive data that can be intercepted even when encrypted,
computer scientists revealed in a new research paper.
Researchers from Indiana University and Microsoft itself were able to
infer the sensitive data by analyzing the distinct size and other
attributes of each exchange between a user and the website she was
interacting with. Using man-in-the-middle attacks, they could glean the
information even when transactions were encrypted using the Secure
Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access
"Our research shows that surprisingly detailed sensitive user data can
be reliably inferred from the web traffic of a number of high-profile,
top-of-the-line web applications" offered by Google, Yahoo, and Bing as
well as the leading online providers of tax, health and investments
services, which the researchers didn't name.
"An eavesdropper can infer the medications/surgeries/illnesses of the
user, her annual family income and investment choices and money
allocations, even though the web traffic is protected by HTTPS. We also
show that even in a corporate building that deploys the up-to-date
WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit
outside the building to glean the query words entered into employees'
laptops, as if they were exposed in plain text in the air."
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!