This paper addresses the lack of temporal localization capability in website fingerprinting (WF) over encrypted tunnels (e.g., Tor). To this end, we propose TSA-WF—a novel framework that pioneers the integration of classical time-series analysis into WF. TSA-WF explicitly preserves both temporal ordering and packet-direction features via trajectory-direction–time encoding, dynamic time warping (DTW)-based alignment, and subsequent time-series modeling. In single-label classification, TSA-WF achieves accuracy competitive with state-of-the-art deep learning methods while demonstrating robustness against dedicated WF defenses. In multi-label settings—where multiple websites are visited sequentially—TSA-WF does not improve overall identification accuracy but, for the first time, enables approximate localization of the start time of target website visits, thereby filling a critical gap in fine-grained temporal localization for encrypted traffic analysis.

Website fingerprinting (WF) is a technique that allows an eavesdropper to determine the website a target user is accessing by inspecting the metadata associated with the packets she exchanges via some encrypted tunnel, e.g., Tor. Recent WF attacks built using machine learning (and deep learning) process and summarize trace metadata during their feature extraction phases. This methodology leads to predictions that lack information about the instant at which a given website is detected within a (potentially large) network trace comprised of multiple sequential website accesses -- a setting known as extit{multi-tab} WF. In this paper, we explore whether classical time series analysis techniques can be effective in the WF setting. Specifically, we introduce TSA-WF, a pipeline designed to closely preserve network traces' timing and direction characteristics, which enables the exploration of algorithms designed to measure time series similarity in the WF context. Our evaluation with Tor traces reveals that TSA-WF achieves a comparable accuracy to existing WF attacks in scenarios where website accesses can be easily singled-out from a given trace (i.e., the extit{single-tab} WF setting), even when shielded by specially designed WF defenses. Finally, while TSA-WF did not outperform existing attacks in the multi-tab setting, we show how TSA-WF can help pinpoint the approximate instant at which a given website of interest is visited within a multi-tab trace.footnote{This preprint has not undergone any post-submission improvements or corrections. The Version of Record of this contribution is published in the Proceedings of the 20th International Conference on Availability, Reliability and Security (ARES 2025)}