How To Pull Location Data From Encrypted Google Maps Sessions 28
Trailrunner7 writes "In the last couple of years, Google and some other Web giants have moved to make many of their services accessible over SSL, and in many cases, made HTTPS connections the default. That's designed to make eavesdropping on those connections more difficult, but as researchers have shown, it certainly doesn't make traffic analysis of those connections impossible. Vincent Berg of IOActive has written a tool that can monitor SSL connections and make some highly educated guesses about the contents of the requests going to Google Maps, specifically looking at what size the PNG files returned by Google Maps are. The tool then attempts to group those images in a specific location, based on the grid and tile system that Google uses to construct its maps."
Re:Not a failing in SSL (Score:5, Informative)
Well, it has to do with the underlying technology: SSL, as it's normally applied, provides you with an unencrypted side channel that leaks information that you'd like kept private. To counter it would require sending a more-or-less fixed bandwidth SSL stream, padded with pseudorandom noise. That is a fundamental deficiency of SSL and many other cryptosystems that apply to interactive uses over the web: to keep everything private, it needs a fixed (and wasteful) bandwidth allocation.