Even if a video streaming service is using HTTPS to encrypt its traffic, an attacker can still determine with a very high accuracy what content a user might be watching.
This type of snooping is possible because of an information leak discovered by a team of researchers in MPEG-DASH, a popular streaming technique implemented by today's top video platforms, such as Amazon, Netflix, YouTube, Vimeo, and others.
The "information leak" is so immanent to MPEG-DASH's design that it cannot be avoided without revamping the entire standard.
In the earlier days of the Internet, whenever a user wanted to view a video online, the streamer would deliver the entire file to user's computer for playback.
To avoid bandwidth waste, various techniques were invented to improve online video delivery. One of them was MPEG-DASH (Dynamic Adaptive Streaming over HTTP), which breaks the original video stored on a streamer's server into smaller segments holding a few seconds of video.
Based on what portion of a video a user is watching, his browser or video player would download only the segments needed to display that particular section of the stream. For obvious reasons, the standard became really popular.
According to three researchers, these segments are unique enough to create fingerprints for the video streams a user might be watching.
The idea is that each video segment is encoded with a variable bitrate that produces downloadable video segment files of various lengths.
When users download these files — that are later assembled into the final stream —, a packet download pattern takes shape for anyone watching network traffic.
According to researchers, these fingerprints are observable even if the traffic is encrypted, and an attacker can detect the download pattern even in video streams protected via HTTPS.
An attacker only needs to create a database of fingerprints for streamable video files he wants to keep an eye out.
To carry out such massive surveillance, the attacker needs to be in a position to intercept and sniff the user's traffic, such as an ISP, nation-state, traffic moderator, or malware present on smaller LANs.
The attack's success rate is way above similar techniques, with an average success rate of over 95%. In tests, the research team says it successfully identified videos a user was watching with a 99.5% success rate for YouTube, 98.6% for Vimeo, 98.5% for Netflix, and 92.5% for Amazon.
While there are clear privacy implications for this attack — such as oppressive governments keeping an eye on who watches anti-government videos — there are also good uses for the MPEG-DASH leak.
For example, law enforcement agencies could use the leak to track down people who watch child abuse or terrorist videos.
The research team also set up a dedicated website and presented their work at the USENIX security conference. A video of their presentation is available below.