New TLS Attack Lets Attackers Launch Cross-Protocol Attacks Against Secure Sites


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information.

The attacks have been dubbed ALPACA, short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

"Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session," the study said. "This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer."

TLS is a cryptographic protocol underpinning several application layer protocols like HTTPS, SMTP, IMAP, POP3, and FTP to secure communications over a network with the goal of adding a layer of authentication and preserving integrity of exchanged data while in transit.

ALPACA attacks are possible because TLS does not bind a TCP connection to the intended application layer protocol, the researchers elaborated. The failure of TLS to protect the integrity of the TCP connection could therefore be abused to "redirect TLS traffic for the intended TLS service endpoint and protocol to another, substitute TLS service endpoint and protocol."


Level 7
Apr 5, 2021
If I understand this attack correctly, it's not simply a case where a victim through no fault or poor decisions on their own would result in a compromise, but rather the victim needs to fall for some sort of trick, getting them to open a malicious website?

The attacks, however, hinge on the prerequisite that the perpetrator can intercept and divert the victim's traffic at the TCP/IP layer.

Put simply, the attacks take the form of a man-in-the-middle (MitM) scheme wherein the malicious actor entices a victim into opening a website under their control to trigger a cross-origin HTTPS request with a specially crafted FTP payload. This request is then redirected to an FTP server that uses a certificate that's compatible with that of the website, culminating in a valid TLS session.


Level 12
Top poster
Aug 2, 2020
I am an admin, should I drop everything and fix this?

Probably not. For the ALPACA attack to succeed, many preconditions need to be fulfilled. The generic attack requires a MitM attacker that can intercept and divert the victim's traffic at the TCP/IP layer. However, if you run application servers such as FTP and email on non-standard ports that are not blocked by browsers, you should make sure that you are not vulnerable to the web attacker variant of ALPACA that can affect users of Internet Explorer.

What can the attackers gain?​

For the specific attacks on HTTPS described in the paper, the attacker can potentially steal cookies or perform a cross-site scripting attacks.

However, the potential consequences to the general ALPACA attack are dependent on the interactions of two unknown protocols, so any number of undesirable behaviors may be possible.