The National Security Agency last week issued guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques.
Titled Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique, the new guidance encourages network administrators to ensure that the use of wildcard certificates does not create unwanted risks and that the enterprise environments are not vulnerable to ALPACA attacks.
Web servers use digital certificates to identify themselves when establishing a trusted, secure TLS connection with a web browser, so that sensitive information can be transmitted.
When operating multiple public-facing servers, organizations often use wildcard certificates to verify server identities, because they can represent any server with a similar name, or any subdomain under a specific base domain name.
“Wildcard certificates are typically used to authenticate multiple servers to simplify management of an organization’s credentials, often saving time and money. Common uses include a proxy representing multiple servers. However, using wildcard certificates to validate unrelated servers across the organization introduces risk,” the NSA says.
Should one server that uses a wildcard certificate be compromised, all other servers represented by the certificate are at risk. Furthermore, an attacker that compromises the private key of a certificate could impersonate any sites represented by it, the agency points out.
As for ALPACA, the technique could allow threat actors to perform arbitrary actions and access sensitive data – the conditions that allow for successful exploitation, however, are uncommon.
“Administrators should assess their environment to ensure that their certificate usage, especially the use of wildcard certificates, does not create unmitigated risks, and in particular, that their organizations’ web servers are not vulnerable to ALPACA techniques,” the NSA notes.
The newly issued guidance also provides details on the steps that enterprises can take to mitigate the risks of poorly implemented certificates, as well as those associated with ALPACA, such a restricting the scope of certificates, using an application gateway or WAF, using encrypted DNS, enabling Application-Layer Protocol Negotiation (ALPN), and ensuring that browsers are kept up to date.
Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs
Related: NSA Issues Guidance on Securing IT-OT Connectivity
Related: NSA Publishes Guidance on Adoption of Zero Trust Security
More from Ionut Arghire
- Google Leads $16 Million Investment in Dope.security
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
