WebTracker: Real Webbrowsing Behaviors -- is Website Fingerprinting now Realistic?
DOI:
https://doi.org/10.4108/eetss.9271Keywords:
Webbrowsing, Website Fingerprinting, Anonymity, PrivacyAbstract
The increasing demand for privacy has driven the adoption of privacy-enhancing tools such as VPNs, but website fingerprinting – the analysis of packet metadata like packet size and number of packets – still poses a substantial risk. Website fingerprinting allows adversaries to predict a victim’s web usage based on their browsing patterns, effectively creating a “fingerprint”. Recent studies have largely focused on laboratory settings and have assumed a simplified model: a victim visits a single website at a time and that all network packets can be observed. However, a new private browser extension, WebTracker, deployed with real users, shows that observed browsing patterns are significantly different from those previously assumed. Users’ behavior frequently exhibits defensive strategies, such as multiple websites overlapping and downloading simultaneously, which can interfere with website fingerprinting. A study of international users demonstrated that over 15% of websites overlap with at least another, with an average overlap time of 66 seconds, while a US-based study showed only 0.72% of websites overlap. Moreover, these overlaps typically occur shortly after the initial website download. These findings suggest that the beginning of a website is more crucial than the end for website fingerprinting attacks, highlighting the need for more analysis of webbrowsing behavior.
References
[1] Hintz, A. (2003) Fingerprinting websites using traffic analysis. In Proceedings of 2Nd International Conference on Privacy Enhancing Technologies, PET’02 (Berlin, Heidelberg: Springer-Verlag): 171–178.
[2] Juarez, M., Imani, M., Perry, M., Diaz, C. and Wright, M. (2016) Toward an efficient website fingerprinting defense. In ESORICS.
[3] Jin, Z., Lu, T., Luo, S. and Shang, J. (2023) Transformerbased model for multi-tab website fingerprinting attack. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS ’23 (New York, NY, USA: Association for Computing Machinery): 1050–1064. doi:10.1145/3576915.3623107, URL https: //doi.org/10.1145/3576915.3623107.
[4] Beckerle, M., Magnusson, J. and Pulls, T. (2022) Splitting hairs and network traces: Improved attacks against traffic splitting as a website fingerprinting defense. In Proceedings of the 21st Workshop on Privacy in the Electronic Society, WPES’22 (New York, NY, USA: Association for Computing Machinery): 15–27. doi:10.1145/3559613.3563199, URL https://doi.org/10.1145/3559613.3563199.
[5] Wang, T. and Goldberg, I. (2016) On realistically attacking tor with website fingerprinting. In PETS.
[6] Cui, W., Yu, J., Gong, Y. and Chan-Tin, E. (2018) Realistic cover traffic to mitigate website fingerprinting attacks. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS): 1579–1584. doi:10.1109/ICDCS.2018.00175.
[7] Cai, X., Zhang, X.C., Joshi, B. and Johnson, R. (2012) Touching from a distance: Website fingerprinting attacks and defenses. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12 (New York, NY, USA: ACM): 605–616. doi:10.1145/2382196.2382260.
[8] Reyes, D., Dynowski, E., Chovan, T., Mikos, J., Chan- Tin, E., Abuhamad, M. and Kennison, S. (2023) Webtracker: Real webbrowsing behaviors. In 2023 Silicon Valley Cybersecurity Conference (SVCC): 1–8. doi:10.1109/SVCC56964.2023.10164930.
[9] Amazon Mechnical Turk (Accessed 2023), https://www.mturk.com/.
[10] Microworkers (Accessed 2023), https://www.microworkers.com/.
[11] Hayes, J. and Danezis, G. (2016) k-fingerprinting: A robust scalable website fingerprinting technique. In 25th USENIX Security Symposium (USENIX Security 16): 1187–1203.
[12] Cherubin, G., Hayes, J. and Juárez, M. (2017) Website fingerprinting defenses at the application layer. PoPETs 2017(2): 186–203. doi:10.1515/popets-2017-0023.
[13] Oh, S.E., Li, S. and Hopper, N. (2017) Fingerprinting keywords in search queries over tor. PoPETs 2017.
[14] Cherubin, G. (2017) Bayes, not naive: Security bounds on website fingerprinting defenses. Proceedings on Privacy Enhancing Technologies : 135–151.
[15] Kohls, K., Rupprecht, D., Holz, T. and Pöpper, C. (2019) Lost traffic encryption: Fingerprinting lte/4g traffic on layer two. In Conference on Security and Privacy in Wireless and Mobile Networks (WiSec): 249–260. doi:10.1145/3317549.3323416.
[16] Rimmer, V., Preuveneers, D., Juárez, M., van Goethem, T. and Joosen, W. (2018) Automated feature extraction for website fingerprinting through deep learning. 25th Symposium on Network and Distributed System Security (NDSS) .
[17] Sirinam, P., Imani, M., Juarez, M. and Wright, M. (2018) Deep fingerprinting: Undermining website fingerprinting defenses with deep learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18: 1928–1943. doi:10.1145/3243734.3243768.
[18] Karami, S., Ilia, P. and Polakis, J. (2021) Awakening the web’s sleeper agents: Misusing service workers for privacy leakage. In Network and Distributed System Security Symposium.
[19] Tor (2022), https://www.torproject.org/.
[20] Cherubin, G., Jansen, R. and Troncoso, C. (2022) Online website fingerprinting: Evaluating website fingerprinting attacks on tor in the real world. In 31st USENIX Security Symposium (USENIX Security 22) (Boston, MA: USENIX Association): 753–770.
[21] Panchenko, A., Niessen, L., Zinnen, A. and Engel, T. (2011) Website fingerprinting in onion routing based anonymization networks. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2011) (ACM).
[22] Rahman, M.S., Sirinam, P., Mathews, N., Gangadhara, K.G. and Wright, M. (2020) Tik tok: The utilityof packet timing in website fingerprinting attacks. Proceedings on Privacy Enhancing Technologies 2020(3): 5–24. doi:doi:10.2478/popets-2020-0043.
[23] Pulls, T. and Dahlberg, R. (2020) Website fingerprinting with website oracles. Proceedings on Privacy Enhancing Technologies 2020(1): 235–255.
[24] De la Cadena,W., Mitseva, A., Hiller, J., Pennekamp, J., Reuter, S., Filter, J., Engel, T. et al. (2020) Trafficsliver: Fighting website fingerprinting attacks with traffic splitting. In Proceedings of the ACM Conference on Computer and Communications Security.
[25] Wang, T. (2020) High precision open-world website fingerprinting. In IEEE Symposium on Security and Privacy (SP): 231–246. doi:10.1109/SP.2020.00015.
[26] Sirinam, P., Mathews, N., Rahman, M.S. and Wright, M. (2019) Triplet fingerprinting: More practical and portable website fingerprinting with n-shot learning. In ACM SIGSAC Conference on Computer and Communications Security, CCS ’19: 1131–1148. doi:10.1145/3319535.3354217.
[27] Wang, C., Dani, J., Li, X., Jia, X. and Wang, B. (2021) Adaptive fingerprinting:Website fingerprinting over few encrypted traffic. In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy: 149–160.
[28] Juarez, M., Afroz, S., Acar, G., Diaz, C. and Greenstadt, R. (2014) A critical evaluation of website fingerprinting attacks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14 (New York, NY, USA: ACM): 263–274.doi:10.1145/2660267.2660368.
[29] Xu, Y., Wang, T., Li, Q., Gong, Q., Chen, Y. and Jiang, Y. (2018) A multi-tab website fingerprinting attack. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18 (New York, NY, USA: ACM): 327–341. doi:10.1145/3274694.3274697.
[30] Cui, W., Chen, T., Fields, C., Chen, J., Sierra, A. and Chan-Tin, E. (2019) Revisiting assumptions forwebsite fingerprinting attacks. In ACM Asia Conference on Computer and Communications Security, AsiaCCS ’19 (ACM). doi:10.1145/3321705.3329802.
[31] Awad, M.A. and Khalil, I. (2012) Prediction of user’s web-browsing behavior: Application of markov model. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics) 42(4): 1131–1142.
[32] Liang, T.P. and Lai, H.J. (2002) Discovering user interests from web browsing behavior: An application to internet news services. In Proceedings of the 35th annual Hawaii international conference on system sciences (IEEE): 2718–2727.
[33] Lee, J.J. and Gupta, M. (2007) A new traffic model for current user web browsing behavior. Intel corporation.
[34] Goel, S.,Hofman, J. and Sirer, M. (2012) Who does what on the web: A large-scale study of browsing behavior. In Proceedings of the International AAAI Conference on Web and Social Media, 6.
[35] Weinreich, H., Obendorf, H., Herder, E. and Mayer, M. (2008) Not quite the average: An empirical study of web use. ACM Transactions on the Web (TWEB) 2(1): 1–31.
[36] Takahashi, T., Kruegel, C., Vigna, G., Yoshioka, K. and Inoue, D. (2020) Tracing and analyzing web access paths based on {User-Side} data collection: How do users reach malicious {URLs}? In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020): 93–106.
[37] Logger, T. (Accessed 2024), https://github.com/mjuarezm/tablogger.
[38] Duncan, J.F. and Camp, L.J. (2012) Conducting an ethical study of web traffic. In Proceedings of the 5th USENIX Conference on Cyber Security Experimentation and Test, CSET’12 (USA): 7.
[39] Alexa (2021), https://s3-us-west-2.amazonaws.com/webcitation/f7333ab1d60b1a81cb2f8f39715bb39ff5228724.
[40] Shao, Y., Hernandez, K., Yang, K., Chan-Tin, E. and Abuhamad, M. (2023) Lightweight and effective website fingerprinting over encrypted dns. In 2023 Silicon Valley Cybersecurity Conference (SVCC): 1–8. doi:10.1109/SVCC56964.2023.10165086.
[41] Panchenko, A., Lanze, F., Zinnen, A., Henze, M., Pennekamp, J.,Wehrle, K. and Engel, T. (2016) Website fingerprinting at internet scale. In the 23rd Network and Distributed System Security Symposium (NDSS).
[42] Cui, W., Chen, T. and Chan-Tin, E. (2020) More realistic website fingerprinting using deep learning. In 2020 IEEE 40th International Conference on Distributed Computing Systems (ICDCS) (IEEE): 333–343.
[43] Zhang, B. and Gearhart, S. (2020) Collecting online survey data: A comparison of data quality among a commercial panel & mturk. Surv. Pract 13.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 EAI Endorsed Transactions on Security and Safety
This work is licensed under a Creative Commons Attribution 4.0 International License.
This is an open-access article distributed under the terms of the Creative Commons Attribution CC BY 4.0 license, which permits unlimited use, distribution, and reproduction in any medium so long as the original work is properly cited.
