CDNs’ Dark Side: Security Problems in CDN-to-Origin Connections

Digital Threats: Research and Practice Pub Date : 2022-07-19 DOI:10.1145/3499428

Behnam Shobiri, Mohammad Mannan, A. Youssef

{"title":"CDNs’ Dark Side: Security Problems in CDN-to-Origin Connections","authors":"Behnam Shobiri, Mohammad Mannan, A. Youssef","doi":"10.1145/3499428","DOIUrl":null,"url":null,"abstract":"Content Delivery Networks (CDNs) play a vital role in today’s Internet ecosystem. To reduce the latency of loading a website’s content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against Denial of Service (DoS) attacks, Web Application Firewalls (WAFs), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and the performance advantages. For HTTPS websites, Transport Layer Security (TLS) security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop/warn users if weak or insecure TLS/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues (e.g., not validating the certificate can lead to MitM attacks). In this article, we primarily analyze TLS/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented/warned by modern browsers; examples include failing to validate the origin server’s certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top 1 million that are potentially vulnerable to Man-in-the-Middle (MitM) attacks in their back-end connections regardless of the origin/CDN configurations chosen by the origin owner.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"92 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Digital Threats: Research and Practice","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3499428","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Content Delivery Networks (CDNs) play a vital role in today’s Internet ecosystem. To reduce the latency of loading a website’s content, CDNs deploy edge servers in different geographic locations. CDN providers also offer important security features including protection against Denial of Service (DoS) attacks, Web Application Firewalls (WAFs), and recently, issuing and managing certificates for their customers. Many popular websites use CDNs to benefit from both the security and the performance advantages. For HTTPS websites, Transport Layer Security (TLS) security choices may differ in the connections between end-users and a CDN (front-end or user-to-CDN), and between the CDN and the origin server (back-end or CDN-to-Origin). Modern browsers can stop/warn users if weak or insecure TLS/HTTPS options are used in the front-end connections. However, such problems in the back-end connections are not visible to browsers or end-users, and lead to serious security issues (e.g., not validating the certificate can lead to MitM attacks). In this article, we primarily analyze TLS/HTTPS security issues in the back-end communication; such issues include inadequate certificate validation and support for vulnerable TLS configurations. We develop a test framework and investigate the back-end connection of 14 leading CDNs (including Cloudflare, Microsoft Azure, Amazon, and Fastly), where we could create an account. Surprisingly, for all the 14 CDNs, we found that the back-end TLS connections are vulnerable to security issues prevented/warned by modern browsers; examples include failing to validate the origin server’s certificate, and using insecure cipher suites such as RC4, MD5, SHA-1, and even allowing plain HTTP connections to the origin. We also identified 168,795 websites in the Alexa top 1 million that are potentially vulnerable to Man-in-the-Middle (MitM) attacks in their back-end connections regardless of the origin/CDN configurations chosen by the origin owner.

查看原文本刊更多论文

cdn的黑暗面:cdn到原点连接的安全问题

内容分发网络(cdn)在当今的互联网生态系统中扮演着至关重要的角色。为了减少加载网站内容的延迟，cdn在不同的地理位置部署边缘服务器。CDN提供商还提供重要的安全功能，包括防止拒绝服务(DoS)攻击、Web应用防火墙(waf)，以及最近为客户颁发和管理证书。许多流行的网站使用cdn从安全性和性能优势中获益。对于HTTPS网站，在最终用户和CDN(前端或用户到CDN)之间以及CDN和源服务器(后端或CDN到源)之间的连接中，传输层安全(TLS)安全选择可能会有所不同。如果在前端连接中使用弱或不安全的TLS/HTTPS选项，现代浏览器可以停止/警告用户。但是，后端连接中的此类问题对于浏览器或最终用户来说是不可见的，并且会导致严重的安全问题(例如，不验证证书可能导致MitM攻击)。在本文中，我们主要分析了TLS/HTTPS在后端通信中的安全问题;这些问题包括证书验证不足和对易受攻击的TLS配置的支持。我们开发了一个测试框架，并调查了14个领先的cdn(包括Cloudflare、Microsoft Azure、Amazon和Fastly)的后端连接，我们可以在其中创建一个帐户。令人惊讶的是，对于所有14个cdn，我们发现后端TLS连接容易受到现代浏览器阻止/警告的安全问题的攻击;示例包括无法验证源服务器的证书，使用不安全的密码套件(如RC4、MD5、SHA-1)，甚至允许纯HTTP连接到源服务器。我们还确定了Alexa前100万个网站中有168,795个网站在后端连接中可能容易受到中间人(MitM)攻击，无论原始所有者选择的原始/CDN配置如何。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Digital Threats: Research and Practice

自引率

0.00%

发文量