West Point Researchers Demonstrate Passive Netflix Traffic Analysis Attack

hypercard writes: Researchers from West Point recently presented research on a real-time passive analysis of Netflix traffic. The paper, entitled "Identifying HTTPS-Protected Netflix Videos in Real-Time" is based on research conducted by Andrew Reed, Michael Kranch and Benjamin Klimkowski. The team's technique demonstrates frighteningly accurate results based solely on information captured from TCP/IP headers. Even with the recent upgrade to HTTPS, their technique was effective at identifying the correct video with greater than 99.99 percent accuracy against their database of over 42,000 videos. "When tested against 200 random 20-minute video streams, our system identified 99.5 percent of the videos with the majority of the identifications occurring less than two and a half minutes into the video stream," the paper reads. However, there are important points to note. First, the attack described only applies to streams still using Silverlight. Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time. Netflix has reacted positively to the team's research and acknowledged the issue as a known drawback to processing video streams with HTTPS.

So...

[TFlan91]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

Re:

[Anonymous Coward]

That's just what they used in their work. The technique seems to be applicable to any other kind of transports as well, they just didn't bother doing that.

Re:

[arglebargle_xiv]

Correct. There's been a lot of work done on this, you can identify encrypted video, voice, web browsing, you name it. They just happened to target Netflix this time. My only complaint with the work is that this stuff isn't exactly news, it's been known for years. The only novel aspect is that they get 99.99% accuracy while others have got lower accuracy scores... of course that's for blind ID, not using a fixed training data set.

Re:So...

[zifn4b]

"only applies to streams still using Silverlight"

Stop using Silverlight, or better yet, stop using anything Microsoft releases to try and accomplish what ActiveX and Silverlight try to?

At the moment, options are limited. Adobe Flash player with RTMP, HTML5 with RTP, or HLS? The problem is largely that web based video streaming doesn't have a whole lot of options unless you commit to writing your own cross-browser plugin. That is precisely what Flash Player did. We need better standards for video streaming. HTML5 (or perhaps browser adoption of it) didn't really step up to the plate very well.

It's funny to me that a lot of developers seem to think that because you're in the context of a web browser that one needs to use HTTP for everything. That's just simply not true.

Re:

[Gr8Apes]

HTML5 using RTP is absolutely satisfactory, as that covers the connection and protocol portions. The payload is a different thing, and that's purely based on implementation. It should be easy enough to add some random data bits on a secondary data pass within the encrypted stream to completely confound such analysis. The real issue here is a crappy implementation that leaks data rather than any issue with encryption.

Re:

[DontBeAMoran]

HTML5 didn't step up to the plate because Google chose to push their own CODEC instead of simply using the industry standard H.264.

Re:

[trawg]

Fwiw I've been happily watching Netflix in the browser via their excellent HTML 5 player without flash or Silverlight for a long time now. Works flawlessly in Chrome and I think it's ok in Firefox. Requires the (built in) Widevine plugin for DRM.

Amazon Prime video works too. I uninstaller Flash 2 years ago and have never installed Silverlight.

Re:

[brunes69]

The problem is not the video streaming. It is the DRM.

The DRM that Google and the W3C want to standardize on, and that Netflix must use by law, yet FOSS peeps keep railing against. These FOSS peeps can't see the forest for the trees; they would rather be stuck using Silverlight.

Re:

[rhazz]

Better yet, just sit back and don't worry about it. What exactly is the risk of someone finding out what you are watching on Netflix?

I'm not watching TV at work! I'm doing research

[Anonymous Coward]

Some academics are trying to rationalize their work-time bingewatching as "security research" ;)

Seriously, this is pretty interesting nevertheless. It shows how much information can be garnered from side channels. And to think we're leaking them all the time...

And this gem from the PDF paper:

Interestingly, 126 windows do not even return themselves. Upon further inspection, we found that these windows stem from two movies, 2001: A Space Odyssey and The Gospel Road: A Story of Jesus, both of which have le

Re:

[Anonymous Coward]

Yeah, I don't get it either. Where is the 'attack' part of this? It's more like traffic analysis. Given the access to the traffic you need it might be easier to stand outside their front door and listen for a minute.

Video Privacy Protection Act of 1988

[tepples]

The "attack" is described in the rationale for the Video Privacy Protection Act of 1988 [wikipedia.org], which was a response to the release of D.C. Circuit Judge Robert Bork's video rental history and its publication in Washington City Paper before his unsuccessful nomination to the Supreme Court of the United States [wikipedia.org].

Re: So an attacker would know what you are watchin

[Anonymous Coward]

Knowing your taste for entertainment makes social engineering a lot more viable.

Re:

[tepples]

Particular when the "security questions" used as a faux second factor for authentication on many services include "What is your favorite movie?", as I discovered yesterday when creating an account on a web-based income tax return preparation service.

Re:

[desdinova 216]

that's all fine until you can't remember what you used.

Re:

[avandesande]

I guess I am just going to have to stick with vigilante movies

Re:

[Anonymous Coward]

You're analogy is quite flawed. This would be akin to security researchers divining the contents of the envelope based solely on the address written on the envelope. Epic fail for you.

Re:

[93 Escort Wagon]

You're analogy is quite flawed.

As is your grammar.

Re:

[PopeRatzo]

This would be akin to security researchers divining the contents of the envelope based solely on the address written on the envelope.

It's Silverlight for chrissake. Is anybody surprised that the envelope is transparent and doesn't protect anonymity and content?

Timing is everything

[Rhaize]

"Additionally, an attacker would likely need significant resources and access to intercept, fingerprint and process the traffic in real time." Hmm.. I don't quite recall but I seem to remember someone talking about ISP's being permitted to monetize collected data from customers..

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[bugs2squash]

Well, monetizing the information they collect. we see from your viewing habits you like "Thomas the tank engine" during the day and "Breaking Bad" after 10pm. Can we interest you in some schizophrenia medicine?

streams still using Silverlight?

[Gravis Zero]

I thought Silverlight was supposed to be dead. Besides, if you are using Windows, your first concern obviously isn't privacy.

The truth is out there... now

[93 Escort Wagon]

Average Slashdotters: I'm watching porn! Lots of porn!

Researchers: Actually, we've determined you're watching the Veggie Tales' "Barbara Manatee" song clip, over and over.

Re:

[cdrudge]

Or Rule 34, it's porn of Veggie Tales' Barbra Manatee.

so what

[Anonymous Coward]

Why should I care? Netflix already knows what I watch and I have no doubt that they would sell that information.

Compression+HTTPS=Badness

[Traverman]

"Reed and Klimkowski show that this combination of DASH and VBR can produce sequences of video segment sizes (i.e. fingerprints) that are unique for each video." Do we really need yet another lesson to teach us that mixing variably (but deterministically) sized traffic segments with HTTPS is self-defeating? Netflix needs to confront the fact that if they value user privacy over performance, they need to roughly double their bandwidth by appending non-pseudo-random junk traffic to each segment, and en

Re:

[AHuxley]

Think of a method that could be given any video and then track the https users. Encode a vast database of interesting video clips and watch for traces of that https globally.

Re:

[sexconker]

I often have the subtitles on and I watch at 1.3x to 1.5x.
Plus Netflix sells all this data anyway. It's easier to just buy it from them to find out I watched Kubo and the Two Strings yesterday.

Netflix doesn't even have porn. If they like money, they should, though. Far more people would pay an extra $10 a month for Netflix + Porn over what they currently pay for Netflix. Not many people are willing to pay $10 a month standalone for porn. But as an add-on from a reputable company that won't infect your

Waste of time

[mdm-adph]

Rarely has so much research been done to reveal so little of any actual worth. This is West Point funded -- I assume the government is behind this somewhere? Don't.... don't they already have access to Netflix data on the backend?