Several security researchers from the Ruhr University Bochum describe on a websitewhat attacks might look like. They called their attack “Alpaca” (application layer protocols allowing cross-protocol attacks). The background to this is that TLS does not differentiate between protocols when transmitting data. TLS guarantees the integrity of a server, but not that of a TCP connection.
At this point, attackers could start a confusion attack and thus allow different protocols to talk to one another. It would be conceivable, for example, to redirect traffic within a valid TLS session. In theory, this could work with protocols like FTP, IMAP, POP3, and SMTP. As a result, email, FTP, and web servers are at risk.
Several attacks imaginable
According to their own statements, the security researchers were able to trigger successful attacks in the interaction of web browsers and e-mail and FTP servers under laboratory conditions. For example, they extracted authentication cookies. XSS attacks (stored, reflected) should also be possible.
According to the experts, however, successful attacks depend on many factors and execution should be a challenge. A prerequisite is that an attacker already has access to a connection as man-in-the-middle. In addition, the following applies: A valid TLS connection is only established if the domain name of a website is identical to that of an email or FTP server. Detailed information execute the security researchers in a comprehensive report.
Protection from alpaca
The security researchers currently rate the risk of attacks as not very high. Nevertheless, they warn that these or similar attacks could cause security problems in the future if TLS is used more frequently.
Admins can already protect their servers from this by activating the TLS extension Application Layer Protocol Negitiation (ALPN), for example. The approach ensures that the client and server coordinate the protocols. If a protocol that is not permitted is used, ALPN can break off connections and thus prevent cross-protocol attacks.