NSA recently released a warning regarding a specific type of attack, known as the ALPACA technique. Shortly said, the Agency is warning network administrators of the risk of using “poorly scoped wildcard Transport Layer Security (TLS) certificates.”
NSA’s guidance also contains details about the so-called ALPACA attack, or Application Layer Protocols Allowing Cross-Protocol Attacks. This technique allows cybercriminals to access sensitive information.
First of all, what is a wildcard certificate? It is a public key certificate which can be utilized with multiple sub-domains of a domain. Applied mainly for security websites with HTTPS, this type of certificate can be used in many other fields, as well.
“Wildcard certificates are used to authenticate multiple servers and simplify credential management, saving time and money. However, if one server hosting a wildcard certificate is compromised, all other servers that can be represented by the wildcard certificate are put at risk. A malicious cyber actor with a wildcard certificate’s private key can impersonate any of the sites within the certificate’s scope and gain access to user credentials and protected information,” NSA said.
The ALPACA Attack: Mitigations
As for the ALPACA technique, it exploits hardened web apps via non-HTTP services secured with a TLS certificate with scopes matching the web application. The technique increases the already existing risk of using poorly scoped wildcard certificates, the Agency added.
To mitigate this risk, NSA recommends the following actions:
- Understanding the scope of each wildcard certificate used in your organization
- Using an application gateway or web application firewall in front of servers, including non-HTTP servers
- Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
- Enabling Application-Layer Protocol Negotiation (APLN), a TLS extension that allows the server/application to specify permitted protocols where possible
- Maintaining web browsers at the latest version with current updates