Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Media Privacy Security The Internet Entertainment

West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack ( 64

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.
This discussion has been archived. No new comments can be posted.

West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack

Comments Filter:
  • So... (Score:3, Insightful)

    by TFlan91 ( 2615727 ) on Thursday April 13, 2017 @09:09AM (#54227819)

    "only applies to streams still using Silverlight"

    Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      That's just what they used in their work. The technique seems to be applicable to any other kind of transports as well, they just didn't bother doing that.

      • Correct. There's been a lot of work done on this, you can identify encrypted video, voice, web browsing, you name it. They just happened to target Netflix this time. My only complaint with the work is that this stuff isn't exactly news, it's been known for years. The only novel aspect is that they get 99.99% accuracy while others have got lower accuracy scores... of course that's for blind ID, not using a fixed training data set.
    • Re:So... (Score:4, Interesting)

      by zifn4b ( 1040588 ) on Thursday April 13, 2017 @09:23AM (#54227879)

      "only applies to streams still using Silverlight"

      Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

      At the moment, options are limited. Adobe Flash player with RTMP, HTML5 with RTP, or HLS? The problem is largely that web based video streaming doesn't have a whole lot of options unless you commit to writing your own cross-browser plugin. That is precisely what Flash Player did. We need better standards for video streaming. HTML5 (or perhaps browser adoption of it) didn't really step up to the plate very well.

      It's funny to me that a lot of developers seem to think that because you're in the context of a web browser that one needs to use HTTP for everything. That's just simply not true.

      • by Gr8Apes ( 679165 )
        HTML5 using RTP is absolutely satisfactory, as that covers the connection and protocol portions. The payload is a different thing, and that's purely based on implementation. It should be easy enough to add some random data bits on a secondary data pass within the encrypted stream to completely confound such analysis. The real issue here is a crappy implementation that leaks data rather than any issue with encryption.
      • HTML5 didn't step up to the plate because Google chose to push their own CODEC instead of simply using the industry standard H.264.

      • by trawg ( 308495 )

        Fwiw I've been happily watching Netflix in the browser via their excellent HTML 5 player without flash or Silverlight for a long time now. Works flawlessly in Chrome and I think it's ok in Firefox. Requires the (built in) Widevine plugin for DRM.

        Amazon Prime video works too. I uninstaller Flash 2 years ago and have never installed Silverlight.

      • by brunes69 ( 86786 )

        The problem is not the video streaming. It is the DRM.

        The DRM that Google and the W3C want to standardize on, and that Netflix must use by law, yet FOSS peeps keep railing against. These FOSS peeps can't see the forest for the trees; they would rather be stuck using Silverlight.

    • by rhazz ( 2853871 )
      Better yet, just sit back and don't worry about it. What exactly is the risk of someone finding out what you are watching on Netflix?
  • Some academics are trying to rationalize their work-time bingewatching as "security research" ;)

    Seriously, this is pretty interesting nevertheless. It shows how much information can be garnered from side channels. And to think we're leaking them all the time...

    And this gem from the PDF paper:

    Interestingly, 126 windows do not even return themselves. Upon further inspection, we found that these windows stem from two movies, 2001: A Space Odyssey and The Gospel Road: A Story of Jesus, both of which have le

  • "Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time." Hmm.. I don't quite recall but I seem to remember someone talking about ISP's being permitted to monetize collected data from customers..
  • This article talks about matching videos with known ones what, unlikely what some people seem to think, is pretty much all what automated image (or video) recognition is about. For example, recognising that a given picture contains a house is usually the result of having compared the given pixels against the ones in a training set of images with houses. Almost any variation with respect to the training image has a relevant impact on this process (e.g., different structure, colours, positions, distorted pixels, etc). Additionally, these analyses usually consume lots of hardware resources.

    Even in case of getting a perfect copy of the original video, just automating the recognition of its contents would represent a further layer of complexity. Something like separating the videos about sports from the ones about movies would be very difficult; virtually impossible when dealing with random inputs and expecting a high enough accuracy.
  • by Gravis Zero ( 934156 ) on Thursday April 13, 2017 @10:06AM (#54228067)

    I thought Silverlight was supposed to be dead. Besides, if you are using Windows, your first concern obviously isn't privacy.

  • Average Slashdotters: I'm watching porn! Lots of porn!

    Researchers: Actually, we've determined you're watching the Veggie Tales' "Barbara Manatee" song clip, over and over.

  • so what (Score:2, Insightful)

    by Anonymous Coward

    Why should I care? Netflix already knows what I watch and I have no doubt that they would sell that information.

  • "Reed and Klimkowski show that this combination of DASH and VBR can produce sequences of video segment sizes (i.e. fingerprints) that are unique for each video." Do we really need yet another lesson to teach us that mixing variably (but deterministically) sized traffic segments with HTTPS is self-defeating? Netflix needs to confront the fact that if they value user privacy over performance, they need to roughly double their bandwidth by appending non-pseudo-random junk traffic to each segment, and en
    • by AHuxley ( 892839 )
      Think of a method that could be given any video and then track the https users. Encode a vast database of interesting video clips and watch for traces of that https globally.
    • I often have the subtitles on and I watch at 1.3x to 1.5x.
      Plus Netflix sells all this data anyway. It's easier to just buy it from them to find out I watched Kubo and the Two Strings yesterday.

      Netflix doesn't even have porn. If they like money, they should, though. Far more people would pay an extra $10 a month for Netflix + Porn over what they currently pay for Netflix. Not many people are willing to pay $10 a month standalone for porn. But as an add-on from a reputable company that won't infect your

  • Rarely has so much research been done to reveal so little of any actual worth. This is West Point funded -- I assume the government is behind this somewhere? Don't.... don't they already have access to Netflix data on the backend?

You will never amount to much. -- Munich Schoolmaster, to Albert Einstein, age 10