Boston University Ari Trachtenberg Services Trishita Tiwari
Transcript of Boston University Ari Trachtenberg Services Trishita Tiwari
![Page 1: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/1.jpg)
Alternative (ab)uses for HTTP Alternative
ServicesTrishita Tiwari Ari Trachtenberg
Boston University
This research was partly supported by National Science Foundation, grant CCF-1563753
@fork_while_1
![Page 2: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/2.jpg)
Outline1. Background: HTTP
2. Alt-Svc header
3. Attacks w/ Alt-Svc
4. Mitigations
5. Industry response
6. Conclusion
![Page 3: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/3.jpg)
● HTTP/1.0 in 1996
● Simple headers:
○ Hostname
○ Referer
○ User-Agent
HTTP
1/6
![Page 4: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/4.jpg)
● HTTP expanded:
○ Caching
○ Dynamic content
○ Request multiplexing
● Result = more papers for security researchers 😉
HTTP
1/6
![Page 5: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/5.jpg)
● HTTP is as old as me (22 yrs)
HTTP
● Yet hard to introduce secure protocol updates.
1/6
![Page 6: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/6.jpg)
Alternative Services (RFC 7838)
● Yet another HTTP header!!
Tired senior who needs to finish
thesis2/6
● Allows website to specify equivalent alternate endpoint
![Page 7: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/7.jpg)
Alternative Services (RFC 7838)
original.com
Client browser
https://original.com/
2/6
![Page 8: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/8.jpg)
Alternative Services (RFC 7838)
original.com
Client browser
https://original.com/
Alt-Svc: alt.com:443…
HTML content
2/6
![Page 9: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/9.jpg)
Alternative Services (RFC 7838)
original.com
alt.com:443
Client browser
https://original.com/
Alt-Svc: alt.com:443…
HTML content
TLS client hello
2/6
![Page 10: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/10.jpg)
Alternative Services (RFC 7838)
original.com
alt.com:443
Client browser
https://original.com/
Alt-Svc: alt.com:443…
HTML content
TLS client hello
TLS Server hello, cert exchange
2/6
![Page 11: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/11.jpg)
Alternative Services (RFC 7838)
original.com
alt.com:443
Client browser
https://original.com/
Alt-Svc: alt.com:443…
HTML content
TLS client hello
TLS Server hello, cert exchange
Mapping cached if cert valid for original.com
2/6
![Page 12: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/12.jpg)
Alt-Svc format
Alt-Svc: ‘h2=“www.google.com:123”; ma=123456’
2/6
![Page 13: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/13.jpg)
Alt-Svc format
Alt-Svc: ‘h2=“www.google.com:123”; ma=123456’
Protocol (http/1.1, quic, h2c, ftp, etc.)
2/6
![Page 14: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/14.jpg)
Alt-Svc format
Alt-Svc: ‘h2=“www.google.com:123”; ma=123456’
Protocol (http/1.1, quic, h2c, ftp, etc.)
Domain/IP
2/6
![Page 15: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/15.jpg)
Alt-Svc format
Alt-Svc: ‘h2=“www.google.com:123”; ma=123456’
Protocol (http/1.1, quic, h2c, ftp, etc.)
Domain/IP
2/6
Port
![Page 16: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/16.jpg)
Alt-Svc format
Alt-Svc: ‘h2=“www.google.com:123”; ma=123456’
Protocol (http/1.1, quic, h2c, ftp, etc.)
Domain/IP Port
Max age (s)
2/6
![Page 17: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/17.jpg)
Alt-Svc Uses● Load balancing
● Client segmentation
● Advertising endpoints with new protocols
2/6
![Page 18: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/18.jpg)
Overview of abuse
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware protection bypass
Port Scan(CVE 2019-11728)
![Page 19: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/19.jpg)
Threat model● Case #1:
○ Attacker controls website(s)
● Case #2: ○ Attacker controls website(s)
○ Monitors victim network traffic
■ E.g. Cafe/Airport WiFi 3/6
![Page 20: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/20.jpg)
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware protection bypass
Port Scan(CVE 2019-11728)
![Page 21: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/21.jpg)
Port-Scan (CVE-2019-11728)● (Distributed) port scanning (from browser context).
http://evil.com/p1Alt-Svc: “h2=localhost:25”
3.1/6
![Page 22: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/22.jpg)
Port-Scan (CVE-2019-11728)● (Distributed) port scanning (from browser context).
http://evil.com/p1Alt-Svc: “h2=localhost:25”
Browser validates Alt-Svc
3.1/6
![Page 23: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/23.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Time
3.1/6
![Page 24: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/24.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
RST
Time
3.1/6
![Page 25: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/25.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
PKT
Time
3.1/6
RST
![Page 26: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/26.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
PKT
Time
3.1/6
RST PKT
![Page 27: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/27.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
PKT Time
3.1/6
RST PKT
PKT
![Page 28: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/28.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
PKT Time
RST
3.1/6
RST PKT
PKT
![Page 29: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/29.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
PKT
PKT Time
RST
3.1/6
RST
PKT
![Page 30: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/30.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Time
?3.1/6
RST PKT
PKT
PKT
![Page 31: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/31.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Time
?3.1/6
PKT
PKT
PKT
RST
![Page 32: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/32.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Redirect: http://evil.com/p2Alt-Svc: “h2=evil2.com:443” Ti
me
3.1/6
PKT
PKT
PKT
RST
![Page 33: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/33.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Redirect: http://evil.com/p2Alt-Svc: “h2=evil2.com:443” Ti
me
Browser connects to new Alt-Svc
3.1/6
PKT
PKT
PKT
RST
![Page 34: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/34.jpg)
Port-Scan (CVE-2019-11728)
Closed Port Open Port
Redirect: http://evil.com/p2Alt-Svc: “h2=evil2.com:443” Ti
me
Browser DOES NOT connect to new
Alt-Svc
Browser connects to new Alt-Svc
3.1/6
PKT
PKT
PKT
RST
![Page 35: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/35.jpg)
Port-Scan consequences● Distributed port scanning
● Localhost, private networks (behind firewall/NAT)
● TCP ports, some UDP ports
● Attacker identity is not revealed!
3.1/6
![Page 36: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/36.jpg)
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware Protection Bypass
Port Scan(CVE 2019-11728)
![Page 38: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/38.jpg)
Malware protection bypass
Victim browser
www.dangerous.com
Safe browsing
3.2/6
![Page 39: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/39.jpg)
Malware protection bypass
● Blocks first and third party:
○ www.dangerous.com in URL bar
○ <img src=www.dangerous.com> in www.example.com
Victim browser
www.dangerous.com
Safe browsing
3.2/6
![Page 40: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/40.jpg)
● Blocks first and third party:
○ www.dangerous.com in URL bar
○ <img src=www.dangerous.com> in www.example.com
Malware protection bypass
Victim browser
www.dangerous.com
Safe browsing
3.2/6
![Page 41: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/41.jpg)
Malware protection bypass● www.example.com specifies www.dangerous.com as it’s
Alt-Svc.
● Browser allows content loading from www.dangerous.com!
3.2/6
![Page 42: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/42.jpg)
Malware protection bypass● www.example.com specifies www.dangerous.com as it’s
Alt-Svc.
● Browser allows content loading from www.dangerous.com!
3.2/6
![Page 43: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/43.jpg)
Malware protection bypass● www.example.com specifies www.dangerous.com as it’s
Alt-Svc.
● Browser allows content loading from www.dangerous.com!
💩3.2/6
![Page 44: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/44.jpg)
Two-faced content
Originalwww.example.com
Alt-Svcwww.dangerous.com
3.2/6
![Page 45: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/45.jpg)
Two-faced content
Originalwww.example.com
Alt-Svcwww.dangerous.com
Automated scanners check
User browser loads
3.2/6
![Page 46: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/46.jpg)
Two-faced content
Originalwww.example.com
Alt-Svcwww.dangerous.com
Vulnerable: URLVoid, VirusTotal, Sucuri, IPVoid
Automated scanners check
User browser loads
3.2/6
![Page 47: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/47.jpg)
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware protection bypass
Port Scan(CVE 2019-11728)
![Page 48: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/48.jpg)
DDoS● Many clients connect to victim Alt-Svc endpoint: DDoS!
○ Long timeouts
○ Bandwidth Exhaustion
3.3/6
![Page 49: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/49.jpg)
DDoS: Long timeouts
Victim Server
Attacker
Browser
3.3/6
![Page 50: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/50.jpg)
DDoS: Long timeouts
Victim Server
Attacker
Browser
Long lasting connections
3.3/6
![Page 51: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/51.jpg)
DDoS: Long timeouts
Victim Server
Attacker
Browser
Long lasting connections
3.3/6
![Page 52: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/52.jpg)
DDoS: Long timeouts
Victim Server
Attacker
Browser
Long lasting connections
3.3/6
![Page 53: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/53.jpg)
DDoS: Long timeouts
Victim Server
Attacker
Browser
Long lasting connections
3.3/6
![Page 54: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/54.jpg)
● FTP, SMTP, etc. servers
DDoS: Long timeouts
Victim Server
Attacker
Browser
Long lasting connections ⚰RIP
3.3/6
![Page 55: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/55.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
3.3/6
![Page 56: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/56.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Small TLS client hello Packets
3.3/6
![Page 57: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/57.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Small TLS client hello Packets
3.3/6
![Page 58: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/58.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Small TLS client hello Packets
3.3/6
![Page 59: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/59.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Small TLS client hello Packets
3.3/6
![Page 60: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/60.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Large TLS server certs
3.3/6
![Page 61: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/61.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Large TLS server certs
3.3/6
![Page 62: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/62.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Large TLS server certs
3.3/6
![Page 63: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/63.jpg)
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Large TLS server certs
3.3/6
![Page 64: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/64.jpg)
● SMTP, HTTPS, etc. (any TLS speaking servers).
DDoS: Bandwidth exhaustion
Victim Server
Attacker
Browser
Large TLS server certs ⚰RIP
3.3/6
![Page 65: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/65.jpg)
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware protection bypass
Port Scan(CVE 2019-11728)
![Page 66: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/66.jpg)
Tracking● Alt-Svc mapping is cached by browser.
● Specify unique value for each user to track.
● Works 1st and 3rd party, bypassing known tracking blockers.
3.4/6
![Page 67: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/67.jpg)
3/6
Alt-Svc Abuses History Exfiltration
DDoS
Tracking
Malware protection bypass
Port Scan(CVE 2019-11728)
![Page 68: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/68.jpg)
History exfiltration
● Captive WiFi Portal
● Restaurants, coffee shops, hotels
3.5/6
![Page 69: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/69.jpg)
History exfiltration
ISP 1
Victim
3.5/6
Did Victim visit
illegal.com?
![Page 70: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/70.jpg)
History exfiltration
ISP 1
wifi.login.comVictim
<iframe src=illegal.com>
3.5/6
![Page 71: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/71.jpg)
History exfiltration
ISP 1
wifi.login.comVictim
illegal.com
<iframe src=illegal.com>
ISP 1
3.5/6
![Page 72: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/72.jpg)
History exfiltration
ISP 1
wifi.login.comVictim
illegal.com
<iframe src=illegal.com>
ISP 1
Unvisited
3.5/6
![Page 73: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/73.jpg)
History exfiltration
ISP 1
wifi.login.comVictim
alt.illegal.com
<iframe src=illegal.com>
ISP 1
3.5/6
![Page 74: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/74.jpg)
History exfiltration
ISP 1
wifi.login.comVictim
alt.illegal.com
<iframe src=illegal.com>
ISP 1
Visited
3.5/6
![Page 75: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/75.jpg)
Mitigations● Port-Scan, DDoS:
Block sensitive ports
● Safe Browsing: Alt-Svc domain check
● Tracking, History Exfiltration:Isolate Alt-Svc cache
4/6
![Page 76: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/76.jpg)
Industry response
Firefox TOR Chrome Brave
Port-Scan
DDoS
Malware protection bypass
Tracking
History exfiltration
Fixed In process Unpatched Unaffected
5/6
![Page 77: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/77.jpg)
Conclusion● New but widely adopted Alt-Svc is vulnerable
● 5 attacks(!), despite:
○ Maturity of HTTP
○ Highly competent browser developers
● Securing is not easy!
6/6
![Page 78: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/78.jpg)
References● Icons made by Smashicons from Flaticon is licensed by CC 3.0 BY● Icons made by Freepik from Flaticon is licensed by CC 3.0 BY● Http Icon #286170 made by Icon Library
![Page 79: Boston University Ari Trachtenberg Services Trishita Tiwari](https://reader030.fdocuments.in/reader030/viewer/2022012100/6169ddf811a7b741a34c3f21/html5/thumbnails/79.jpg)
Questions?
Alt-Svc