Home > Cyber News > The ALPACA Attack and the Risk of Using Poorly Scoped TLS Certificates

The ALPACA Attack and the Risk of Using Poorly Scoped TLS Certificates


NSA recently released a warning regarding a specific type of attack, known as the ALPACA technique. Shortly said, the Agency is warning network administrators of the risk of using “poorly scoped wildcard Transport Layer Security (TLS) certificates.”

NSA’s guidance also contains details about the so-called ALPACA attack, or Application Layer Protocols Allowing Cross-Protocol Attacks. This technique allows cybercriminals to access sensitive information.

First of all, what is a wildcard certificate? It is a public key certificate which can be utilized with multiple sub-domains of a domain. Applied mainly for security websites with HTTPS, this type of certificate can be used in many other fields, as well.

“Wildcard certificates are used to authenticate multiple servers and simplify credential management, saving time and money. However, if one server hosting a wildcard certificate is compromised, all other servers that can be represented by the wildcard certificate are put at risk. A malicious cyber actor with a wildcard certificate’s private key can impersonate any of the sites within the certificate’s scope and gain access to user credentials and protected information,” NSA said.

The ALPACA Attack: Mitigations

As for the ALPACA technique, it exploits hardened web apps via non-HTTP services secured with a TLS certificate with scopes matching the web application. The technique increases the already existing risk of using poorly scoped wildcard certificates, the Agency added.

To mitigate this risk, NSA recommends the following actions:

  • Understanding the scope of each wildcard certificate used in your organization
  • Using an application gateway or web application firewall in front of servers, including non-HTTP servers
  • Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
  • Enabling Application-Layer Protocol Negotiation (APLN), a TLS extension that allows the server/application to specify permitted protocols where possible
  • Maintaining web browsers at the latest version with current updates

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree