Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

We investigate current deployment practices for virtual hosting, a widely used method for serving multiple HTTP and HTTPS origins from the same server, in popular content delivery networks, cloud-hosting infrastructures, and web servers. Our study uncovers a new class of HTTPS origin confusion attacks: when two virtual hosts use the same TLS certificate, or share a TLS session cache or ticket encryption key, a network attacker may cause a page from one of them to be loaded under the other's origin in a client browser. These attacks appear when HTTPS servers are configured to allow virtual host fallback from a client-requested, secure origin to some other unexpected, less-secure origin. We present evidence that such vulnerable virtual host configurations are widespread, even on the most popular and security-scrutinized websites, thus allowing a network adversary to hijack pages, or steal secure cookies and single sign-on tokens. To prevent our virtual host confusion attacks and recover the isolation guarantees that are commonly assumed in shared hosting environments, we propose fixes to web server software and advocate conservative configuration guidelines for the composition of HTTP with TLS.

[1]  Chris Palmer,et al.  Certificate Pinning Extension for HSTS , 2011 .

[2]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[3]  Bodo Möller,et al.  TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks , 2015, RFC.

[4]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  Alfredo Pironti,et al.  An implementation of TLS 1.2 with verified cryptographic security , 2013, POST 2013.

[6]  Ralf Sasse,et al.  ARPKI: Attack Resilient Public-Key Infrastructure , 2014, CCS.

[7]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[8]  Sunil Kumar,et al.  Formal Verification of OAuth 2.0 Using Alloy Framework , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[9]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[10]  Arnis Parsovs Practical Issues with TLS Client Certificate Authentication , 2014, NDSS.

[11]  Alfredo Pironti,et al.  Implementing TLS with Verified Cryptographic Security , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Srdjan Capkun,et al.  On the Effective Prevention of TLS Man-in-the-Middle Attacks in Web Applications , 2014, USENIX Security Symposium.

[13]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[14]  Vitaly Shmatikov,et al.  The Hitchhiker's Guide to DNS Cache Poisoning , 2010, SecureComm.

[15]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[16]  D. Recordon,et al.  The OAuth 2.0 Authorization Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-10 , 2012 .

[17]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL , 2010 .

[18]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[19]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[20]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[21]  Jeff Hodges,et al.  HTTP Strict Transport Security (HSTS) , 2012, RFC.

[22]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[23]  Dan Boneh,et al.  Protecting browsers from dns rebinding attacks , 2007, CCS '07.

[24]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[25]  Susan Landau,et al.  Highlights from Making Sense of Snowden, Part II: What's Significant in the NSA Revelations , 2014, IEEE Security & Privacy.

[26]  David A. Wagner,et al.  Dynamic pharming attacks and locked same-origin policies for web browsers , 2007, CCS '07.

[27]  Arno Fiedler,et al.  Certificate transparency , 2014, Commun. ACM.

[28]  A. Bortz Origin Cookies : Session Integrity for Web Applications , 2011 .

[29]  Yinglian Xie,et al.  Web PKI: Closing the Gap between Guidelines and Practices , 2014, NDSS.

[30]  Alfredo Pironti,et al.  Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS , 2014, 2014 IEEE Symposium on Security and Privacy.

[31]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[32]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[33]  Dan S. Wallach,et al.  Origin-Bound Certificates: A Fresh Approach to Strong Client Authentication for the Web , 2012, USENIX Security Symposium.

[34]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[35]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[36]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[37]  Alexey Melnikov,et al.  The WebSocket Protocol , 2011, RFC.

[38]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[39]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[40]  Eric Rescorla,et al.  HTTP Over TLS , 2000, RFC.

[41]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[42]  Karthikeyan Bhargavan,et al.  Language-based Defenses Against Untrusted Browser Origins , 2013, USENIX Security Symposium.

[43]  Alfredo Pironti,et al.  A Messy State of the Union: Taming the Composite State Machines of TLS , 2015, 2015 IEEE Symposium on Security and Privacy.

[44]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..