The ALPACA attack profile uses domain confusion to fool secure web servers.
Researchers in Germany have identified a new type of “man in the middle” attack vector that uses cross-protocol server communications to infiltrate and compromise supposedly secure HTTPS servers.
In most cases, especially for companies, the domain name of the website matches the domain name in the email or FTP server certificate. The man-in-the-middle (MitM) ALPACA attacker tricks the the browser into establishing a Transport Layer Security (TLS) connection with one of these servers rather than the website the user intended to visit.
How hackers use TLS to access “secure” information
As the researchers explain in a paper published this week, TLS is an internet standard to secure the communication between servers and clients on the internet. For example, web servers, FTP servers, and Email servers all use TLS to secure data transfers.
ALPACA is an application layer protocol content confusion attack, they explain. It exploits TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
“The basic principle is that an attacker can redirect traffic intended for one service to another, because TLS does not protect the IP address or port number,” Marcus Brinkmann, a researcher at Ruhr University Bochum in Germany, told Ars Technica.
A problem that could grow over time
“In the past, people have considered attacks where the MitM attacker redirects a browser to a different web server, but we are considering the case where the attacker redirects the browser from the webserver to a different application server such as FTP or email.”
“Overall, the attack is very situational and targets individual users,” Brinkmann said. “So, the individual risk for users is probably not very high. But over time, more and more services and protocols are protected with TLS, and more opportunities for new attacks that follow the same pattern arise. We think it’s timely and important to mitigate these issues at the standardization level before it becomes a larger problem.”