Alternative Abuses for HTTP Alternative Services

Presented by Ari Trachtenberg

Abstract

(from the paper)

The HTTP Alternative Services header (Alt-Svc) was introduced in 2013 in a bid to streamline load balancing, protocol optimizations, and client segmentation, and it has since been subsequently implemented in almost all mobile and desktop browsers. We show that the major implementations of the header are independently susceptible to a variety of stealthy abuse. Indeed, we demonstrate how Alternative Services may be leveraged to scan ports blacklisted by browsers, probe firewalled hosts, and mount Distributed Denial of Service attacks. These services may also be misused to bypass popular phishing and malware protection services like Safe Browsing, and also online site checkers like VirusTotal, URLVoid, Sucuri and IPVoid. In the privacy realm, the Alt-Svc header may be abused for user tracking: at the network layer by Internet Service Providers (ISPs), and at the application layer by first and third party websites (where we bypass third-party tracking protections on Firefox, Chrome and Brave). In a similar manner, the header may be used by transiently connected ISPs to exfiltrate parts of a victim's browser history. Our attacks work, to varying extents, on Firefox, Tor, Chrome, and Brave browser, and have been disclosed accordingly--so far, one of our vulnerabilities been patched by Mozilla as CVE-2019-11728. We conclude with proposed mitigations for some of these abuses.

References

• Tiwari, Trishita and Ari Trachtenberg. Alternative (ab) uses for {HTTP} Alternative Services. 13th USENIX Workshop on Offensive Technologies (WOOT 19).
• Trishita Tiwari, Ari Trachtenberg, and David Starobinski. The Evil Alt-Ego: (ab)using HTTP Alternative Services. Blackhat Asia 2020.