The National Security Agency last week issued guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques.
Titled Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique, the new guidance encourages network administrators to ensure that the use of wildcard certificates does not create unwanted risks and that the enterprise environments are not vulnerable to ALPACA attacks.
Web servers use digital certificates to identify themselves when establishing a trusted, secure TLS connection with a web browser, so that sensitive information can be transmitted.
When operating multiple public-facing servers, organizations often use wildcard certificates to verify server identities, because they can represent any server with a similar name, or any subdomain under a specific base domain name.
“Wildcard certificates are typically used to authenticate multiple servers to simplify management of an organization’s credentials, often saving time and money. Common uses include a proxy representing multiple servers. However, using wildcard certificates to validate unrelated servers across the organization introduces risk,” the NSA says.
Should one server that uses a wildcard certificate be compromised, all other servers represented by the certificate are at risk. Furthermore, an attacker that compromises the private key of a certificate could impersonate any sites represented by it, the agency points out.
As for ALPACA, the technique could allow threat actors to perform arbitrary actions and access sensitive data – the conditions that allow for successful exploitation, however, are uncommon.
“Administrators should assess their environment to ensure that their certificate usage, especially the use of wildcard certificates, does not create unmitigated risks, and in particular, that their organizations’ web servers are not vulnerable to ALPACA techniques,” the NSA notes.
The newly issued guidance also provides details on the steps that enterprises can take to mitigate the risks of poorly implemented certificates, as well as those associated with ALPACA, such a restricting the scope of certificates, using an application gateway or WAF, using encrypted DNS, enabling Application-Layer Protocol Negotiation (ALPN), and ensuring that browsers are kept up to date.
Related: NSA, CISA Issue Guidance on Selecting and Securing VPNs
Related: NSA Issues Guidance on Securing IT-OT Connectivity
Related: NSA Publishes Guidance on Adoption of Zero Trust Security