Is it possible to use traffic analysis to extract URLs from GET and POST packets protected by TLS?

Is it possible to use traffic analysis to extract URLs from GET and POST packets protected by TLS?

Attached: 44e.jpg (400x400, 91K)

bump

Attached: 1502049818561.jpg (480x640, 111K)

Anythings possible if you believe.

IIRC a secure tunnel is created before any meaningful data is transmitted (including detailed URLs). You could try using a proxy to decode a HTTPS transmission but if any side uses certificate pinning then you are fucked. If you are controlling any of the sides in communication then you might be able to turn off cert pinning and see what is being sent.

But what about traffic analysis? That is, trying to deduce the message based on the traffic alone.

For example, page size can be saved and compared to TLS traffic of the clients.

Do a test you nob

if theres a way to encrypt theres need to be a way to decrypt but i dont know if it will take it easy on you to use that method

If you use own certificates on both sides and have a strong cipher suite there is only one possibility to break in:
- the encryption can be cracked with method unknown to public. This is practically impossible because if such thing would happen it would cost whole earth fortune and it would not be used against you.
- timing attacks
- packet size attacks

Simple answer is "no".

Another answer:
- IP is public
- packet size leakage
are the things which can leak very much information about your connection and what you do

Packet sizes can be compared with known packet sizes in order to try to get the contents.
This is what traffic analysis is about.
There's an entire paper on this. Google "TLS traffic analysis".

I remember reading a paper about packet sizes during highly-compressed VoIP. They were able to determine some spoken content iirc. Google around for more info

bump

No

Downgrade attacks too brah

Care to elaborate?

Sure.
Pubkey encryption is solid. Browsers connect with TLS 1.2 and usually the best ciphers the server offers.
In very rare cases, with (hundreds of) millions of dollars of resources, you might be able to break the encryption of some traffic with servers that are misconfigured. A risk to some traffic that's stored as computing power is getting cheaper- but guess what, good server configs enforce forward secrecy.
Best servers don't even let you connect if you don't support all the latest and greatest.

But breaking the encryption is not required. Traffic analysis is sufficient to eavesdrop on some, albeit not all of the contents. That is, correlating bandwidth use to try to guess the contents.

EG; click the lock icon on your connection with Jow Forums (or any other site), you'll see details. EG, Jow Forums's default is TLS_EDHE_ECDSA_WITH_AES_128_GCM_SHA256 128bit keys, TLS1.2
Which is alphabet spaghetti and I don't actually know what all of that is to be honest, but it's elliptic curve diphie-Hellman.

kek no
Best you can do is tell that 'it's text' or 'it's image data' with EXTREMELY large data sets.

>Best you can do is tell that 'it's text' or 'it's image data' with EXTREMELY large data sets.

Not at all. You can even determine which social media accounts are used and such by correlating profile images with very small data sets. There's a paper available on the topic.
Google "TLS traffic analysis".

bump

>is it possible?
Yes.
>for you?
No.

Encryption doesn't matter, you can just right click and go to inspect and see all the data going both ways in the network tab.