This is not the padding you are looking for! On the ineffectiveness of QUIC PADDING against website fingerprinting
Ludovic Barman, Sandra Siby, Christopher A. Wood, Marwan Fayed, Nick Sullivan, Carmela TroncosoAbstract
Website fingerprinting (WF) is a well-know threat to users' web privacy. New internet standards, such as QUIC, include padding to support defenses against WF. We study whether network-layer padding can indeed be used to construct effective WF defenses. We confirm previous claims that network-layer padding cannot provide good protection against powerful adversaries capable of observing all traffic traces. In contrast to prior work, we also demonstrate that such padding is ineffective even against adversaries with partial view of the traffic. Network-layer padding without application input is ineffective because it fails to hide information unique across different applications. We show that application-layer padding solutions need to be deployed by both first and third parties, and that they can only thwart traffic analysis in limited situations. We identify challenges to deploy effective WF defenses and provide recommendations to reduce these hurdles.