What is traffic analysis, and why is it a threat even with encryption?
Traffic analysis is a passive attack where the attacker observes communication patterns (volume, timing, endpoints) without reading message content — revealing information even when all messages are encrypted.
How it works:
- The attacker doesn't break encryption — they watch metadata
- Who communicates with whom, when, how often, how much data
- Patterns reveal activity: a sudden spike in encrypted military traffic tells the enemy "something is happening"
Historical example: In wartime, one side noticed the other was transmitting large volumes of encrypted messages. Even without decrypting, this signaled an impending operation. The countermeasure was to always send data — either real messages or random noise — so the enemy couldn't distinguish active from idle periods.
Modern relevance:
- ISPs can see which websites you visit (by IP) even with HTTPS
- An employer sees you're sending lots of traffic to a competitor's domain
- Tor and VPNs partially mitigate traffic analysis, but it's extremely hard to eliminate completely
Countermeasure: Send constant-rate traffic (padding with random data when idle). This is expensive and rarely done outside military applications.
Go deeper:
Traffic analysis — metadata attacks and their countermeasures.