The Inner Circle

NSA Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique

  • 1.  NSA Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique

    Posted 20 days ago
      |   view attached
    Hi All,

    The NSA just published Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique

    Executive summary

    Wildcard certificates are often used to authenticate multiple servers, saving organizations time and money. Wildcard certificates have legitimate uses but can confer risk from poorly secured servers to other servers in the same certificate's scope. A new style of web application exploitation, dubbed "ALPACA," increases the risk of using broadly scoped wildcard certificates to verify server identities during the Transport Layer Security (TLS) handshake. Application Layer Protocols Allowing Cross-Protocol Attack (ALPACA) is a technique used to exploit hardened web applications through nonHTTP (Hypertext Transfer Protocol) services secured using the same or a similar TLS certificate. This Cybersecurity Information Sheet details the risks from wildcard certificates and ALPACA and provides mitigations for both. Administrators should assess their environments to ensure that their certificate usage, especially the use of wildcard certificates, does not create unmitigated risks, and in particular, that their organizations' web servers are not vulnerable to ALPACA techniques.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------