Assessing and Exploiting Domain Name Misinformation

TL;DR

This paper investigates the prevalence of domain name misinformation support in cloud providers, introduces a measurement methodology, and presents a novel attack exploiting domain fronting to compromise HTTPS security guarantees.

Contribution

It constructs an ontology of domain name misinformation, develops a measurement methodology, and proposes a new attack exploiting domain fronting vulnerabilities.

Findings

Many cloud providers support domain fronting despite public denials.

The attack can man-in-the-middle encrypted traffic without detection.

HTTPS security guarantees can be broken using the proposed method.

Abstract

Cloud providers' support for network evasion techniques that misrepresent the server's domain name is more prevalent than previously believed, which has serious implications for security and privacy due to the reliance on domain names in common security architectures. Domain fronting is one such evasive technique used by privacy enhancing technologies and malware to hide the domains they visit, and it uses shared hosting and HTTPS to present a benign domain to observers while signaling the target domain in the encrypted HTTP request. In this paper, we construct an ontology of domain name misinformation and detail a novel measurement methodology to identify support among cloud infrastructure providers. Despite several of the largest cloud providers having publicly stated that they no longer support domain fronting, our findings demonstrate a more complex environment with many exceptions. We also present a novel and straightforward attack that allows an adversary to man-in-the-middle all the victim's encrypted traffic bound to a content delivery network that supports domain fronting, breaking the authenticity, confidentiality, and integrity guarantees expected by the victim when using HTTPS. By using dynamic linker hijacking to rewrite the HTTP Host field, our attack does not generate any artifacts that are visible to the victim or passive network monitoring solutions, and the attacker does not need a separate channel to exfiltrate data or perform command-and-control, which can be achieved by rewriting HTTP headers.