Virtual Host Confusion: Weaknesses and Exploits

Transport Layer Security (TLS) is commonly used to provide server-authenticated secure channels for HTTPS web applications. From the viewpoint of the client, however, the server authentication guarantees of HTTPS are frequently misconstrued to identify a single HTTPS endpoint or origin whereas, in practice, the HTTPS server may be serving any one of a large set of origins. This issue is even more acute in SPDY, a proposed successor to HTTP already in wide use today, because of a little-known feature that allows TLS sessions to be reused for requests to origins other than the one the session was negotiated for. We study current HTTPS server-side deployments and identify several vulnerabilities in server identification, all of which lead to serious attacks on popular websites and cloud-hosting infrastructures. We show that the common practice of using TLS certificates that cover multiple domains can be exploited if any one of the domains hosts untrusted content. We demonstrate that the use of shared TLS session caches and session tickets across different hosts and connection reuse in SPDY both weaken server authentication. By combining these vulnerabilities with widespread web server configuration problems, we describe practical, high-impact network-based redirection attacks that steal cookies and signon tokens, hijack sessions on popular websites, or can bypass certificate validation. To counter such attacks and to recover the isolation guarantees that are commonly assumed in shared hosting environments, we propose changes to web server software, TLS libraries, and the SPDY protocol and advocate prudent practices for the safe usage of TLS.