HTTPS/2 URL Tracking from a Single IP

TL;DR

Yes, URLs viewed during HTTPS/2 transactions from a single IP can be distinguishable, despite encryption. This is primarily due to Server Name Indication (SNI) and HTTP/2 header compression techniques. While the content of the communication is encrypted, metadata about which website you’re connecting to can still leak.

Understanding the Problem

HTTPS/2 encrypts the body of your web traffic, protecting what you send and receive. However, simply establishing a secure connection requires revealing some information. The main ways URLs can be identified are:

• Server Name Indication (SNI): This tells the server which website you’re trying to reach when multiple websites share the same IP address.
• HTTP/2 Header Compression (HPACK): While efficient, HPACK can leak information about frequently visited domains.

Solution Guide: Identifying URLs

Here’s how you can identify URLs viewed during HTTPS/2 transactions from a single IP address:

1. Packet Capture

1. Capture Traffic: Use a packet capture tool like Wireshark or tcpdump to record network traffic.

tcpdump -i eth0 -w capture.pcap port 443

2. Filter for HTTPS/2: Filter the captured traffic to focus on connections using HTTPS/2 (typically port 443).

2. Analyse Server Name Indication (SNI)

1. Wireshark Analysis: Open the capture file in Wireshark.
2. Filter for SNI: Apply a display filter to show only TLS handshake packets containing SNI data.

   tls.extensions == "server_name"

3. Inspect Handshake: Examine the TLS Client Hello packet. The ‘Server Name’ field within the extensions will reveal the hostname (URL) being requested.

3. HTTP/2 Header Compression Analysis

This is more complex, but possible.

1. HPACK Decoding: Tools like HPACK Dissector in Wireshark can attempt to decode the compressed headers.
   • Enable the HPACK dissector if it’s not already active.
   • Look for patterns in header fields that indicate frequently visited domains.
2. Statistical Analysis: Repeatedly visiting the same domain will result in more efficient compression, leaving a detectable ‘fingerprint’. This requires advanced analysis and isn’t always reliable.

4. Using Network Monitoring Tools

Several network monitoring tools can help automate this process:

• Zeek (formerly Bro): A powerful network security monitor that can extract SNI information and log it.

  # Example Zeek configuration snippet
  @load base/protocols/tls/server-name.bpf

• tshark: The command-line version of Wireshark, useful for scripting and automated analysis.

  tshark -r capture.pcap -T fields -e tls.extensions.server_name

5. Mitigating URL Tracking

• Use DNS over HTTPS (DoH): Encrypts your DNS queries, preventing eavesdropping on the domains you’re resolving.
• VPN: Masks your IP address and encrypts all traffic.
• Tor Browser: Routes your traffic through a network of relays for enhanced anonymity.
• Encrypted Client Hello (ECH): A newer TLS extension that aims to encrypt the SNI field, but support is still limited.