We are increasingly concerned about our privacy and why others can not know our hobbies, tastes, and interests through the Internet. However, it is increasingly difficult to maintain our privacy in the network, both due to the advanced tracking systems implemented in most web pages and, in many cases, due to the protocols used that unknowingly expose certain information that should not be exposed, as it has happened to Netflix.
Recently, a security expert from the United States Military Academy has been analyzing the HTTPS connections that Netflix implements through which it communicates with users in a secure manner. In this study, the security expert has been able to demonstrate that, although the connections are secure and do not endanger personal data or the security of users, if we look at the TCP / IP headers, they are 99.5% of the tracking fingerprint.
It is true that HTTPS is designed to preserve privacy, and Netflix is not committing any negligence in this aspect, since it does not send in plain text the titles of the movies or series in these headers, but instead sends the variable bit rate (VBR), a rate that can be predictable and associated with a certain series or film.
This security expert has created a small database with 42,000 Netflix videos, each represented by more than 7 fingerprints. In this way, simply getting one of the traces of any user of the platform will be able to know what content is playing without much difficulty.
The algorithm created by this expert is able to automatically recognize any movie in a maximum time of 3 minutes and 55 seconds, although most videos are identified before two and a half minutes. While this technique works for almost the entire Netflix library, there are two concrete films that involve a greater work to have long periods entirely in black: 2001: A Space Odyssey and The Gospel Way: A Story of Jesus.
All the research of this security expert, his algorithm and the tools used are available on GitHub.
It is up to Netflix to solve this problem or not
At the moment, Netflix has not commented on this security failure that may expose the tastes of its users. However, this researcher says that solving it should not be too complicated and offers a couple of ideas on how to do it.
On the one hand, the browser could make the average of several segments and send the corresponding HTTP GET with that average size instead of the size of each frame, and it could even be made to randomly combine segments and send the data of the segments combined, avoiding in the same way that you can identify what is being seen through this simple technique.
For the moment, we can only wait to see if Netflix, a company that, truthfully, is committed to transparency and security, remedies this.
Are you worried that others may know what you see or do not see through Netflix?