The US National Security Agency issued a security bulletin warning companies not to use wildcard TLS certificates due to their insecurity and the ALPACA TLS attacks.Let me remind you that wildcard certificates are TLS certificates that are provided by certification authorities and can be used simultaneously for a domain and for all its subdomains (*.example.com). For many years, companies have used such certificates to reduce costs and alleviation of management because administrators can use the same certificate on all servers. Alas, this convenience comes at a price, because if an attacker breaks into the server in this case, he compromises the entire company.
The NSA also warns of a new attack, ALPACA (Application Layer Protocol Content Confusion Attack), which information security researchers spoke about last summer. This attack also works through the use of wildcard certificates.
A detailed description of ALPACA was published in June this year, but then the problem was not considered seriously, because to implement an attack, an attacker needs to be able to intercept the victim’s traffic, which significantly reduces the risks. However, over the summer, researchers still warned that more than 119,000 web servers were vulnerable to ALPACA.
The NSA is now urging organizations to take ALPACA seriously and test whether their servers are vulnerable (especially if organizations are dealing with confidential information or are part of the US government network).
The NSA recommends several methods of protection, including asking organizations to enable ALPN (Application-Layer Protocol Negotiation), an extension of TLS that prevents servers from responding to requests using protocols prohibited by the administrator (FTP, IMAP, and others).
Let me remind you that I also reported that the FBI and NSA release a statement about attacks by Russian hackers.