Dan Goodin reports:
Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.
Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.
[…]
“An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees’ laptops, as if they were exposed in plain text in the air.”
Read more in The Register.
A PDF of the paper is here. Princeton University computer science professor and Freedom to Tinker blogger Ed Felton has additional analysis here.