Last week, the National Security Agency provided guidance on the dangers of wildcard TLS certificates and ALPACA tactics (Application Layer Protocols Allowing Cross-Protocol Attacks).
The new advisory, titled Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique, encourages network administrators to verify that the usage of wildcard certificates does not expose enterprise environments to undesirable risks and that they are not subject to ALPACA assaults.
When establishing a trusted, secure TLS connection with a web browser, web servers employ digital certificates to identify themselves so that sensitive information can be exchanged.
Wildcard certificates are commonly used to validate server identities when running numerous public-facing servers because they can represent any server with a similar name or any subdomain under a specific base domain name.
“Wildcard certificates are commonly used to authenticate various servers in order to simplify the management of an organization’s credentials, which saves time and money.” A proxy that represents numerous servers is a common application. The use of wildcard certificates to authenticate unrelated servers across an enterprise, on the other hand, poses a risk, according to the NSA.
If one server that employs a wildcard certificate is hacked, all other servers that the certificate represents are at risk. Furthermore, according to the agency, an attacker who gains access to a certificate’s private key can spoof any of the sites it represents.
In the case of ALPACA, the technique could allow threat actors to carry out arbitrary operations and get access to sensitive data; nevertheless, the prerequisites for successful exploitation are rare.
“Administrators should examine their environment to verify that their certificate usage, particularly the use of wildcard certificates, does not generate unchecked risks,” according to the NSA. “In particular, their businesses’ web servers should not be vulnerable to ALPACA tactics.”
Enterprises can take steps to mitigate the risks of poorly implemented certificates, as well as those associated with ALPACA, by limiting the scope of certificates, using an application gateway or WAF, using encrypted DNS, enabling Application-Layer Protocol Negotiation (ALPN), and ensuring that browsers are kept up to date, according to the newly issued guidance.
