Talking with Familiar Strangers: An Empirical Study on HTTPS Context Confusion Attacks

摘要

HTTPS is principally designed for secure end-to-end communication, which adds confidentiality and integrity to sensitive data transmission. While several man-in-the-middle attacks (e.g., SSL Stripping) are proposed to break the secured connections, some state-of-the-art security policies (e.g., HSTS) have significantly increased the cost of successful attacks. However, the TLS certificates shared by multiple domains make HTTPS hijacking attacks possible again. In this paper, we term the HTTPS MITM attacks based on the shared TLS certificates as HTTPS Context Confusion Attack (SCC Attack). Though an acknowledged threat, it has not yet been studied thoroughly. We aim to fill this gap with an in-depth empirical assessment of SCC Attack. We find it can succeed even for servers that have deployed current best practice of security policies. By rerouting encrypted traffic to another flawed server that shares the TLS certificate, attackers can bypass the security practices, hijack the ongoing HTTPS connections, and subsequently launch additional attacks including phishing and payment hijacking. Particularly, vulnerable HTTP headers from a third-party server are exploitable for this attack, and it is possible to hijack an already-established secure connection. Through tests on popular websites, we find vulnerable subdomains under 126 apex domains in Alexa top 500 sites, including large vendors like Alibaba, JD, and Microsoft. Meanwhile, through a large-scale measurement, we find that TLS certificate sharing is prominent, which uncovers the high potential of such attacks, and we summarize the security dependencies among different parties. For responsible disclosure, we have been reporting the issues to affected vendors, and so far have received positive feedback. Our study sheds light on an influential attack surface of the HTTPS ecosystem and calls for proper mitigations against MITM attacks.

出版物
In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, Orlando, USA, November 2020

2019年,我们发现了一种新型的HTTPS劫持攻击。此外,我们在GeekPWN2019比赛上展示了该项目,并获得了冠军。


comments powered by Disqus
下一页
上一页

相关