TLS attacks and anti-censorship hacks

The Transport Layer Security (TLS) protocol emerged as a focal point of attention for the information security world during August as the Chinese government updated its censorship tool, the Great Firewall of China, to block HTTPS traffic with the latest TLS version. The topic got even more attention when security researchers offered workarounds to TLS-enabled censorship and demonstrated potential TLS-based attacks at DEF CON: Safe Mode.

TLS is a widely adopted protocol that enables privacy and data security for internet communications, mostly by encrypting communications between web applications and servers. TLS 1.3, the most recent version, was published in 2018. TLS is the foundation of the more familiar HTTPS technology and hides communications from uninvited third parties, even as it does not necessarily hide the identity of the users communicating.

TLS 1.3 introduced something called encrypted server name indication (ESNI), which makes it difficult for third parties, such as nation-states, to censor HTTPS communications. In early August, three organizations — iYouPort, the University of Maryland and the Great Firewall Report — issued a joint report about the apparent blocking of TLS connections with the ESNI extension in China.

Using a simple Python program, the group discovered that the Great Firewall blocks ESNI connections from client to server and temporarily bans the IP addresses involved. The organizations say they have been able to find circumvention techniques that can be used either in apps or software or on the server side to thwart China’s censorship blocks, but they consider these solutions temporary.

Domain hiding circumvents Chinese censorship

Another, possibly more effective, solution to dodging Chinese censorship was offered in a DEF CON talk entitled “Domain Fronting is Dead, Long Live Domain Fronting,” given by Erik Hunstad, CTO and adversary emulation lead at cybersecurity solutions company SixGen. With domain fronting, internet censorship is circumvented using large certificate and hosting providers to deploy different domain names at different communications layers in HTTPS.

“With domain fronting, the client connects to the front domain, not the true destination domain,” Hunstad said. “You can think of domain fronting like a postcard inside an envelope. On the outside of the envelope, the client writes the address of the CDN (content delivery network), but on the inside, the true destination domain is on the postcard.”

When CDNs open the letter, they deliver the postcard to the true destination internally. The use of domain fronting was significantly undercut in 2018 when the Russian government put pressure on cloud providers to stop allowing this protection because popular messaging app Telegram was using both Google and Amazon cloud services for domain fronting. Today only Microsoft’s Azure and a handful of smaller companies still permit domain fronting.

As a consequence, Hunstad has developed a new technique to get around censorship that he calls “domain hiding.” The new technique “accomplishes the same goals as domain fronting, but uses different technologies,” Hunstad said. He accomplishes domain hiding by leveraging top content delivery network Cloudflare and requiring apps to have Cloudflare manage their domain DNS records.

“A TLS 1.3 connection with an ESNI of the true destination is made to any Cloudflare IP and the underlying HTTPS request also has a host header of the true destination. This enables any Cloudflare-owned IP to act as a front for any domain hosted by Cloudflare DNS,” he said. At DEF CON, Hunstad released a new tool he’s calling Noctilucent that automates the process of hiding domains using his new technique.

“Best of all, the requirements to sign up for Cloudflare DNS are minimal and it’s free,” Hunstad said. “What domains can we use for this hiding? It turns out a lot. Over 21% of the top 100,000 sites are behind Cloudflare and allow this to work.” A lot of different sites appear in this top 100,000 list, including security related sites, banks, sports, higher education streaming services, government sites and porn. “So much porn,” Hunstad said.

TLS as an attack vector

Joshua Maddox of security firm Latacorta warned about the use of TLS as an attack vector during his DEF CON lightning talk entitled “When TLS Hacks You.” He demonstrated that TLS can be used as a mechanism for attacking web-based systems by leveraging an existing class of vulnerability called SSRF, which stands for server-side request forgery.

“You can trick the victim into accepting a weird domain name and [by] parsing it incorrectly you can include stuff like arbitrary bytes in there and smuggle stuff like SMTP (Simple Mail Transfer Protocol) commands. If you establish a session with Jmaddox.com, whether it resolves to something on the internet or your own machine, your HTTPS client will not know the difference,” Maddox said pointing to how TLS sessions are cached and can be exploited.

“Since I, as an attacker, own jmaddox.com, I can combine all this TLS stuff with a concept called DNS rebinding” to “get arbitrary characters to be sent which includes new lines” that allow an attacker to interact with local services. DNS rebinding is a method for manipulating domain name resolutions.

One solution to the problem identified by Maddox is for sessions to be removed between servers, which he pitched to the Chromium team earlier this year. Chromium didn’t quite accept that solution but did suggest a solution that would partition the servers based on whether the address is local. “It wouldn’t affect performance but it would protect against most of the attack scenarios that I could think of,” Maddox said.

Otherwise, “as an internet user you can pick Firefox and disable session identifiers if you’re paranoid about this stuff,” he said. For web applications, it’s a good idea to run outbound requests through a proxy and reconsider your infrastructure decisions.

Maddux has released a tool called TLS Poison that “allows for generic SSRF via TLS, as well as CSRF [cross-site request forgery] via image tags in most browsers.” Once everything is set up properly in TLS Poison, both the TLS session poisoning and DNS rebinding steps should be fully functional.