Researchers sound alarm on Web app "side channel" data leaks

Rise of SaaS highlights threat, say Microsoft and Indiana University researchers

New research from Microsoft and Indiana University has found that data leaks from Web applications such as popular tax programs and online health programs - even when encrypted -- is a real and growing threat.

According to the research, it's inevitable that a Software-as-a-Service application's data flow will be exposed on the network to some degree when passing back and forth between a web client (browser) and server even when HTTPS and encryption such as WPA/WPA2 is in effect.

Network eavesdroppers could use such information to figure out which site or program you're using and glean personal information by monitoring data characteristics associated with certain Web applications - known as side-channel information -- such as packet size and timing.

Also read: Data breach costs top $200 per customer record 

Such vulnerabilities are shaping up to be "an unprecedented threat to the confidentiality of user data processing by these applications," according to the researchers.  They base their research on findings discovered testing the security of popular online tax, health, investing and search sites (including Google, Yahoo and Bing).

They write: "Although such side-channel leaks of Web traffic have been known for years [a documented side-channel leak is dated back to 1943...obviously before the Internet], the whole issue seems to be neglected by the general Web industry, presumably because little evidence exists to demonstrate the seriousness of their consequences other than the effect on the users of anonymity channels [such as Tor].

Particularly worrisome is that the issue is especially prevalent in programs that use newer Web technology, such as the AJAX programming language, whose GUI widgets generate Web traffic in response to even a single mouse click. That gives eavesdroppers more chances to infer what's being transmitted.

The researchers warn that while some solutions for mitigating the problem are obvious, such as padding packets to disguise them, the actual implementation of such solutions would need to be done by app developers on a case by case basis.

Ed Felten, a professor of computer science and public affairs at Princeton University's Center for Information Technology Policy, blogs  that "it's important to keep these attacks in perspective - bear in mind that they can only be carried out by someone who can eavesdrop on the network between you and the site you're visiting."

The researchers' findings are outlined in a paper titled "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow,"  and will be presented at IEEE Symposium on Security and Privacy in Oakland in mid-May. 

Follow Bob Brown on Twitter at www.twitter.com/alphadoggs

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies