Website fingerprinting (WF) is a well-know threat to users' web privacy. New internet standards, such as QUIC, include padding to support defenses against WF. Previous work only analyzes the effectiveness of defenses when users are behind a VPN. Yet, this is not how most users browse the Internet. In this paper, we provide a comprehensive evaluation of QUIC-padding-based defenses against WF when users directly browse the web. We confirm previous claims that network-layer padding cannot provide good protection against powerful adversaries capable of observing all traffic traces. We further demonstrate that such padding is ineffective even against adversaries with constraints on traffic visibility and processing power. At the application layer, we show that defenses need to be deployed by both first and third parties, and that they can only thwart traffic analysis in limited situations. We identify challenges to deploy effective WF defenses and provide recommendations to address them.
翻译:网站指纹(WF) 是对用户网络隐私的众所周知的威胁。 新的互联网标准, 如 QUIC, 包括支持对WF的防御防护。 以前的工作只是分析用户在 VPN 背后的防御的有效性。 然而, 多数用户不是这样浏览互联网。 在本文中, 我们提供了对用户直接浏览网络时对WF的基于 QuIC 的防御的全面评估。 我们确认以前的说法, 网络平台无法为有能力观察所有交通痕迹的强敌提供良好的保护。 我们进一步证明, 即使是对限制交通能见度和处理权力的对手, 这种防护也是无效的。 在应用层, 我们显示第一和第三方都需要部署防御, 他们只能在有限的情况下阻挠交通分析。 我们发现部署有效的WF防御系统的挑战, 并提出解决挑战的建议 。