Home > Cyber News > The ALPACA Attack and the Risk of Using Poorly Scoped TLS Certificates
CYBER NEWS

The ALPACA Attack and the Risk of Using Poorly Scoped TLS Certificates

by   |  Last Update:  |  0 Comments  

alpaca-attack-sensorstechforum

NSA recently released a warning regarding a specific type of attack, known as the ALPACA technique. Shortly said, the Agency is warning network administrators of the risk of using “poorly scoped wildcard Transport Layer Security (TLS) certificates.”

NSA’s guidance also contains details about the so-called ALPACA attack, or Application Layer Protocols Allowing Cross-Protocol Attacks. This technique allows cybercriminals to access sensitive information.

First of all, what is a wildcard certificate? It is a public key certificate which can be utilized with multiple sub-domains of a domain. Applied mainly for security websites with HTTPS, this type of certificate can be used in many other fields, as well.




“Wildcard certificates are used to authenticate multiple servers and simplify credential management, saving time and money. However, if one server hosting a wildcard certificate is compromised, all other servers that can be represented by the wildcard certificate are put at risk. A malicious cyber actor with a wildcard certificate’s private key can impersonate any of the sites within the certificate’s scope and gain access to user credentials and protected information,” NSA said.

The ALPACA Attack: Mitigations

As for the ALPACA technique, it exploits hardened web apps via non-HTTP services secured with a TLS certificate with scopes matching the web application. The technique increases the already existing risk of using poorly scoped wildcard certificates, the Agency added.

To mitigate this risk, NSA recommends the following actions:

  • Understanding the scope of each wildcard certificate used in your organization
  • Using an application gateway or web application firewall in front of servers, including non-HTTP servers
  • Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
  • Enabling Application-Layer Protocol Negotiation (APLN), a TLS extension that allows the server/application to specify permitted protocols where possible
  • Maintaining web browsers at the latest version with current updates

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Related posts:
  1. Apple, Microsoft, and Google Drop Support for TLS 1.0 and TLS 1.1 Three of the biggest tech companies, Apple, Microsoft, and Google,...
  2. DNS Unlocker PUP (Adware) – How to Remove It and Stop Ads This article has been made with the idea in mind...
  3. DNS Unlocker Mac Ads Virus Removal Guide What Is DNS Unlocker for Mac DNS Unlocker Mac is...
  4. DNS Unlocker Ads 2016 Removal Update DNS Unlocker is a very intrusive and aggressive adware program....
  5. Russia Issues Its Own TLS Certificate Authority Russia currently offers its own TLS (Transport Layer Security) CA...
  6. Google Android Developers Release New Nogotofail Tool for Testing Unsecure TLS/SSL Certificates A new tool for security network testing called Nogotofail, was...
  7. Remove Ads by DNS Unlocker and Dnspalenville.exe An extremely aggressive and intrusive adware, DNS Unlocked has been...
  8. DNS Unlocker Description and Removal Steps This article aims to explain to you what is the...

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree