Feature Selection Based Correlation Attack on HTTPS Secure Searching

Search engine plays an irreplaceable role in web information organizing and accessing. It is very common for Internet users to query a search engine when retrieving web information. Sensitive data about search engine user’s intentions or behavior can be inferred from his query phrases, the returned results pages, and the webpages he visits subsequently. In order to protect contents of communications from being eavesdropped, some search engines adopt HTTPS by default to provide bidirectional encryption. This only provides an encrypted channel between user and search engine, the majority of webpages indexed in search engines’ results pages are still on HTTP enabled websites and the contents of these webpages can be observed by attackers once the user click on these links. Imitating attackers, we propose a novel approach for attacking secure search through correlating analysis of encrypted search with unencrypted webpages. We show that a simple weighted TF–DF mechanism is sufficient for selecting guessing phrase candidates. Imitating search engine users, by querying these candidates and enumerating webpages indexed in results pages, we can hit the definite query phrases and meanwhile reconstruct user’s web-surfing trails through DNS-based URLs comparison and flow feature statistics-based network traffic analysis. In the experiment including 28 search phrases, we achieved 67.86% hit rate at first guess and 96.43% hit rate within three guesses. Our empirical research shows that HTTPS traffic can be correlated and de-anonymized through HTTP traffic and secured search of search engines are not always secure unless HTTPS by default enabled everywhere.