ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication


Marcus Brinkmann, Ruhr University Bochum; Christian Dresen, Münster University of Applied Sciences; Robert Merget, Ruhr University Bochum; Damian Poddebniak, Münster University of Applied Sciences; Jens Müller, Ruhr University Bochum; Juraj Somorovsky, Paderborn University; Jörg Schwenk, Ruhr University Bochum; Sebastian Schinzel, Münster University of Applied Sciences


TLS is widely used to add confidentiality, authenticity and integrity to application layer protocols such as HTTP, SMTP, IMAP, POP3, and FTP. However, TLS does not bind a TCP connection to the intended application layer protocol. This allows a man-in-the-middle attacker to redirect TLS traffic to a different TLS service endpoint on another IP address and/or port. For example, if subdomains share a wildcard certificate, an attacker can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one service may compromise the security of the other at the application layer.

In this paper, we investigate cross-protocol attacks on TLS in general and conduct a systematic case study on web servers, redirecting HTTPS requests from a victim's web browser to SMTP, IMAP, POP3, and FTP servers. We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security.

We evaluate the real-world attack surface of web browsers and widely-deployed email and FTP servers in lab experiments and with internet-wide scans. We find that 1.4M web servers are generally vulnerable to cross-protocol attacks, i.e., TLS application data confusion is possible. Of these, 114k web servers can be attacked using an exploitable application server. Finally, we discuss the effectiveness of TLS extensions such as Application Layer Protocol Negotiation (ALPN) and Server Name Indiciation (SNI) in mitigating these and other cross-protocol attacks.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {272252,
author = {Marcus Brinkmann and Christian Dresen and Robert Merget and Damian Poddebniak and Jens M{\"u}ller and Juraj Somorovsky and J{\"o}rg Schwenk and Sebastian Schinzel},
title = {{ALPACA}: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in {TLS} Authentication},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {4293--4310},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video