STEK Sharing is Not Caring: Bypassing TLS Authentication in Web Servers using Session Tickets

TLS session resumption with session tickets is a widely supported mechanism designed to accelerate TLS connections. It allows a server to use a symmetric Session Ticket Encryption Key (STEK) to encrypt a TLS context in a socalled session ticket, provide the ticket to the client, and later decrypt it during session resumption to obtain the context and seamlessly resume the session. Proper STEK handling is critical and may get complex in scenarios such as virtual hosting, where a single physical server accommodates multiple virtual hosts. Most importantly, these virtual hosts must remain securely isolated, even when they rely on the same TLS STEK for session protection.

We demonstrate how TLS session resumption in virtual hosting can introduce session ticket confusion vulnerabilities, potentially enabling the bypass of both server and client authentication. To validate the practicality of these attacks, we analyzed four implementations and conducted a large-scale evaluation. Our findings revealed that all four implementations – Apache, nginx, (Open)LiteSpeed, and Caddy – are vulnerable to client authentication bypasses. In our largescale scans, we identified six clusters of vulnerable providers, including Fastly, which are susceptible to server authentication bypasses. Our results highlight inconsistent isolation of virtual hosts following TLS session resumption, exposing critical security gaps in modern virtual hosting environments.