The US National Security Agency issued a security bulletin warning companies not to use wildcard TLS certificates due to their insecurity and the ALPACA TLS attack.
Let me remind you that wildcard certificates are TLS certificates that are provided by CAs and can be used simultaneously for a domain and for all its subdomains (* .example.com). For many years, companies have used such certificates to reduce costs and be easier to manage because administrators can use the same certificate on all servers. Alas, this convenience comes at a price, because if an attacker breaks into the server in this case, the compromises the entire company as a whole.
“An attacker who has gained control over the private key associated with the wildcard certificate will be able to impersonate any of the presented sites and gain access to the user’s valid credentials and protected information,” the NSA warns, urging companies to abandon wildcard certificates in favour of individual …
The NSA also warns of a new attack, ALPACA (Application Layer Protocol Content Confusion Attack), which information security researchers talked about last summer. This attack also works through the use of wildcard certificates.
Essentially, ALPACA allows an attacker to trick web servers into responding to encrypted HTTPS requests over unencrypted protocols, including FTP, IMAP, POP3, and others. According to the experts who came up with ALPACA, a successful attack “will allow you to extract session cookies, other personal user data or execute arbitrary JavaScript in the context of a vulnerable web server, bypassing TLS and web application protection.”
A detailed description of ALPACA was published in June this year, but then the problem was not considered seriously, because to implement an attack, an attacker needs to be able to intercept the victim’s traffic, which significantly reduces the risks. However, over the summer, researchers still warned that more than 119,000 web servers were vulnerable to ALPACA.
The NSA is now urging organizations to take ALPACA seriously and test whether their servers are vulnerable (especially if organizations are dealing with confidential information or are part of the US government network). The NSA recommends several methods of protection, including asking organizations to enable ALPN (Application-Layer Protocol Negotiation), an extension of TLS that prevents servers from responding to requests using protocols prohibited by the administrator (FTP, IMAP, and others).
Catch up on more stories here
Follow us on Facebook here