Measuring the Impact of HTTP / 2 and Server Push on Web Fingerprinting

The growing deployment of transportand linklayer encryption mechanisms helps to protect users’ security. However, privacy attacks are still possible due to patterns present in the network traffic. Web fingerprinting, in particular, can reveal what web site or page someone is visiting despite encryption. In this paper, we set out to study what impact new web standards—in particular, HTTP/2 and Server Push—have on the ability of adversaries to perform web fingerprinting, as these technologies significantly change network traffic patterns. We created web page models of top Alexa sites that captured the dependency structure of the resources on the site. We then captured network traces loading these models using both HTTP/1.1 and HTTP/2 with Server Push, and evaluated their susceptibility to state-of-the-art web fingerprinting attacks. Our results show that HTTP/2 presents a smaller fingerprinting surface for an adversary than HTTP/1.1. Additionally, it admits a simple padding scheme that can further reduce web fingerprinting success. This scheme is competitive with other state-ofthe-art defenses, and only presents a small amount of bandwidth overhead.