ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication

TLS is widely used to add confidentiality, authenticity and integrity to application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP. However, TLS does not bind a TCP connection to the intended application layer protocol. This allows a man-in-the-middle attacker to redirect TLS traffic to a different TLS service endpoint on another IP address and/or port. For example, if subdomains share a wildcard certificate, an attacker can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one service may compromise the security of the other at the application layer. In this paper, we investigate cross-protocol attacks on TLS in general and conduct a systematic case study on web servers, redirecting HTTPS requests from a victim’s web browser to SMTP, IMAP, POP3, and FTP servers. We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security. We evaluate the real-world attack surface of web browsers and widely-deployed email and FTP servers in lab experiments and with internet-wide scans. We find that 1.4M web servers are generally vulnerable to cross-protocol attacks, i.e., TLS application data confusion is possible. Of these, 114k web servers can be attacked using an exploitable application server. Finally, we discuss the effectiveness of TLS extensions such as Application Layer Protocol Negotiation (ALPN) and Server Name Indiciation (SNI) in mitigating these and other cross-protocol attacks.

[1]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.

[2]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[3]  Jochen Topf,et al.  The HTML Form Protocol Attack , 2001 .

[4]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[5]  Kenneth G. Paterson,et al.  Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS , 2015, USENIX Security Symposium.

[6]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[7]  Ned Freed,et al.  SMTP Service Extension for Command Pipelining , 1997, RFC.

[8]  Eric Rescorla,et al.  Datagram Transport Layer Security Version 1.2 , 2012, RFC.

[9]  Mohamed Ali Kâafar,et al.  TLS in the Wild: An Internet-wide Analysis of TLS-based Protocols for Electronic Communication , 2015, NDSS.

[10]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing , 2014, RFC.

[11]  Paul Barford,et al.  An Empirical Study of Web Cookies , 2016, WWW.

[12]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[13]  Shay Gueron,et al.  Selfie: reflections on TLS 1.3 with PSK , 2021, IACR Cryptol. ePrint Arch..

[14]  Paul E. Hoffman SMTP Service Extension for Secure SMTP over TLS , 1999, RFC.

[15]  Jon Postel,et al.  DOD standard transmission control protocol , 1980, CCRV.

[16]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[17]  Informatika Cross-Site Printing , 2011 .

[18]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[19]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[20]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[21]  Sheila Frankel,et al.  IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap , 2011, RFC.

[22]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[23]  Renegotiating TLS , 2009 .

[24]  Jörg Schwenk,et al.  SoK: Exploiting Network Printers , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[25]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[26]  Abhay K. Bhushan,et al.  The File Transfer Protocol , 1971, Request for Comments.

[27]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[28]  Yu Wang,et al.  Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks , 2020, CCS.

[29]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[30]  Ran Canetti,et al.  Environmental Requirements for Authentication Protocols , 2002, ISSS.

[31]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[32]  Mark R. Crispin,et al.  Internet Message Access Protocol - Version 4rev1 , 1994, RFC.

[33]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[34]  Markus Huber,et al.  No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large , 2015, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[35]  Dawn Xiaodong Song,et al.  Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[36]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[37]  Marshall T. Rose,et al.  Post Office Protocol: Version 3 , 1988, RFC.

[38]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[39]  John C. Klensin,et al.  Simple Mail Transfer Protocol , 2001, RFC.

[40]  Adam Langley,et al.  Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension , 2014, RFC.

[41]  Mark Allman,et al.  FTP Security Considerations , 1999, RFC.

[42]  Wouter Joosen,et al.  Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation , 2018, NDSS.

[43]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[44]  Mitja Kolšek,et al.  Session Fixation Vulnerability in Web-based Applications , 2002 .

[45]  Karthikeyan Bhargavan,et al.  Network-based Origin Confusion Attacks against HTTPS Virtual Hosting , 2015, WWW.

[46]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.