14 DAY TRIAL // When you visit an HTTPS-protected website, your browser does not pass data to the webserver until it has verified the website's digital certificate. This prevents hackers who can monitor or alter the flow of data between you and the website from collecting authentication cookies or running malicious malware on your visiting device, says Ars Technica.
The risk occurs when a cybercriminal can trick the browser into connecting to an email or FTP server that uses a certificate compatible with the one used by the website.
Because the domain name of the Web site matches the domain name in the e-mail or FTP server certificate, the browser often connects Transport Layer Security to one of these servers rather than to the Web site the user intended to access.
The danger of using HTTPS to communicate with an email or FTP server
Because the browser communicates over HTTPS and the email or FTP server communicates over SMTP, FTPS, or another protocol, there is a chance that something could go terribly wrong. For example, a decrypted authentication cookie could be sent to the attacker or execute malicious code on the visiting machine.
The idea is not as far-fetched as some might think. According to a new study, about 14.4 million Web servers use a domain name that is compatible with the cryptographic credentials of the same organization's e-mail or FTP server.
About 114,000 of the sites are considered vulnerable because the email or FTP server uses software known to be susceptible to such attacks.
Such attacks are conceivable because TLS does not protect the integrity of the TCP connection, only the server that speaks HTTP, SMTP, or another Internet language.
Even cornerstone security protocols have flaws
TLS also encrypts the data being transmitted between an end-user and a server to ensure that no one can read or manipulate the content with access to the connection. TLS is a cornerstone of Internet security that millions of servers rely on.
Brinkmann and seven other scientists investigated whether it is possible to use so-called cross-protocol attacks to bypass TLS security in a research paper published Wednesday.
A MitM attacker uses this technique to redirect cross-origin HTTP requests to servers connecting via SMTP, IMAP, POP3, FTP, or another protocol.
The main components of the attack are (1) the client application used by the targeted end-user, referred to as C; (2) the server that the target intended to visit, referred to as Sint; and (3) the surrogate server, a computer that connects via SMTP, FTP, or a different protocol than the one used by Serverint, but has the same domain in its TLS certificate.
The MitM adversary cannot decrypt TLS traffic, but the attacker can do other things. For example, forcing the target's browser to connect to an email or FTP server instead of the intended web server might cause the browser to send an authentication cookie to the FTP server. It could also enable cross-site scripting attacks, where the browser downloads and executes malicious JavaScript hosted on the FTP or email server.
ALPACA (application layer protocols allowing cross-protocol attacks) is the name the researchers have given their cross-protocol attacks. ALPACA does not currently pose a significant threat to the majority of people.
However, the risk may increase if new attacks and vulnerabilities are discovered or if TLS is used to secure additional communication paths.