Website Fingerprinting in the Data Plane

The Internet was not designed with security and privacy in mind. Over the last couple of years, specific protocols and protocol extensions have been introduced to patch the Internet architecture’s security and privacy weaknesses. To name a few, HTTPS [14], encrypted DNS (DNS over TLS [25] or DNS over HTTPS [20]), and encrypted SNI [15] (an extension to TLS protocol) focus on making the Internet a more private place by encrypting the sensitive parts of the packets. The goal of all these privacy-preserving protocols and their extensions is to hide the metadata that is otherwise visible to the entities monitoring the Internet traffic. However the IP addresses on the packet headers are still readable for everyone and can be used to get information about the accessed domains in a reversed approach. As a first countermeasure Content Delivery Networks [19] impede eavesdropping on IP addresses because they map several websites to the same IP address, so a monitoring entity can no longer tell directly from the IP which page is accessed. However, we can show that the comparison with previously stored page load fingerprints makes it possible to identify domains with a high accuracy. In this thesis, we were able to create a design that detects domains in less than 5 seconds after the opening of a new session with a correct detection rate of 75.1% when multiple domains have the same primary IP address and 92.4% when a single domain maps to one primary IP address. For the thesis, we generate a data set that contains the page load fingerprints of roughly 50’000 domains. We use it together with a data plane pipeline design of a switch, which is applied to filter traffic specifically and reduces the packet load that needs to be analysed at an early stage. To compare fingerprints and determine accessed websites we develop an analysing script that works in the control plane. A Barefoot TofinoTM Model works as our target to test the implemented design.