Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

NSA Warns of Risks Posed by Wildcard Certificates, ALPACA Attacks

The National Security Agency last week issued guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques.

The National Security Agency last week issued guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques.

Titled Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique, the new guidance encourages network administrators to ensure that the use of wildcard certificates does not create unwanted risks and that the enterprise environments are not vulnerable to ALPACA attacks.

Web servers use digital certificates to identify themselves when establishing a trusted, secure TLS connection with a web browser, so that sensitive information can be transmitted.

When operating multiple public-facing servers, organizations often use wildcard certificates to verify server identities, because they can represent any server with a similar name, or any subdomain under a specific base domain name.

“Wildcard certificates are typically used to authenticate multiple servers to simplify management of an organization’s credentials, often saving time and money. Common uses include a proxy representing multiple servers. However, using wildcard certificates to validate unrelated servers across the organization introduces risk,” the NSA says.

Should one server that uses a wildcard certificate be compromised, all other servers represented by the certificate are at risk. Furthermore, an attacker that compromises the private key of a certificate could impersonate any sites represented by it, the agency points out.

As for ALPACA, the technique could allow threat actors to perform arbitrary actions and access sensitive data – the conditions that allow for successful exploitation, however, are uncommon.

“Administrators should assess their environment to ensure that their certificate usage, especially the use of wildcard certificates, does not create unmitigated risks, and in particular, that their organizations’ web servers are not vulnerable to ALPACA techniques,” the NSA notes.

The newly issued guidance also provides details on the steps that enterprises can take to mitigate the risks of poorly implemented certificates, as well as those associated with ALPACA, such a restricting the scope of certificates, using an application gateway or WAF, using encrypted DNS, enabling Application-Layer Protocol Negotiation (ALPN), and ensuring that browsers are kept up to date.

Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs

Related: NSA Issues Guidance on Securing IT-OT Connectivity

Related: NSA Publishes Guidance on Adoption of Zero Trust Security

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...