A new type of attack has emerged that exploits misconfigurations in transport layer security (TLS) servers that can redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address, allowing the sensitive data to be stolen. The attack, dubbed TLS 1.3 hijacking for HTTPS, was demonstrated last week by researchers at France’s Inria research institute.

The researchers reported that in some cases, the redirected data could be retrieved even after the original connection has been closed down, allowing an attacker to keep the conversation going indefinitely. The attack also opens up possibilities of using it to launch other attacks, such as session hijacking and DoS attacks on the vulnerable TLS server.

“We show two real-world TLS 1.3 hijacking attacks,” the researchers said in their paper. “In the first attack, we manipulate a client’s request to force her to negotiate with an attacker-controlled TLS 1.3 server. In the second attack, we establish a TLS 1.3 connection with an attacker-controlled TLS 1.3 server and we hand over this connection to our client, who has no way of knowing that she is connected to an attacker. We demonstrate that the TLS 1.3 hijacking attacks work both when the attacker controls a malicious DNS server and when they do not.”

The attack has been dubbed ALPACA, which is short for “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in TLS Authentication,” by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.
The group said that in order to be successful, the attack requires two things: (1) the Ciphers suite must be enabled in the TLS 1.3 handshake, and (2) a misconfiguration of an existing TLS 1.2 server that returns an address for a transport layer security server with an invalid key.

ALPACA attacks can occur because transport layer security does not bind a TCP connection to the intended application layer protocol, as stated by the researchers. The lack of protection results in abuse within the connection. The researchers said that even if the application level protocol is encrypted, an attacker can use some methods—like TCP connection hijacking—to redirect the TCP connection to a different TLS instance.

“The attack works because TLS is unbound,” the researchers explained. “This means that TLS negotiates for a TLS version, authenticates those certificates, and then, after that, uses the version it negotiated with that server to negotiate a new data stream for an application-level protocol.

Given the web browser from a client and two application servers, tricking the substitute server into accepting application data from the client, or vice versa can be accomplished through a variety of means.

“This approach can also be used to attack websites that use these applications,” the researchers said. “For example, if you want to attack a website with the Twitter or Facebook protocol client, you may not need to trick the server; all that is necessary is for the application server to accept data from a connection whose TCP connection it does not expect.”

In an effort to counteract this attack, the researchers propose utilizing application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions to transport layer security that can be used by a client to let the server know about the intended protocol to be used over a secure connection and the hostname it’s attempting to connect to at the start of the handshake process.

The researcher’s findings are expected to be presented at Black Hat USA 2021 and at USENIX Security Symposium 2021.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, TLS

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.