Skip to main content
banner image
venafi logo

New NSA Guidelines: Avoid Wildcard TLS Certificates Due to ALPACA!

New NSA Guidelines: Avoid Wildcard TLS Certificates Due to ALPACA!

nsa-warns-against-wildcard-tls-certificates-due-to-alpaca-threat
October 11, 2021 | Alexa Hernandez

The NSA recently published “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique”, a cybersecurity information sheet aiming to better secure the Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB). These guidelines warn network administrators of the inherent risks of poorly implemented wildcard TLS certificates, along with recommended actions to secure these servers. These recommendations come with the goal of protecting critical systems from a new web exploitation technique known as ALPACA.

Do YOU Have Vulnerable Certificates? Click Here for a FREE Risk Assessment!
What are wildcard certificates?

A wildcard certificate is a single public key certificate, like TLS certificates, that secures all first-level subdomains. There are many risks involved with using wildcard certificates, but the most pressing one danger is that means there is just one private key used across all systems. Your entire network can be compromised by just one private key falling prey to a phishing attack, malware, or other form of cyber-attack.

What is ALPACA and why is it dangerous?

One of the benefits that drives network administrators to use wildcard certificates is that using one certificate to authenticate multiple servers greatly simplifies credential management, saving time and money. As stated above, however, a malicious threat actor only must gain unauthorized access to one wildcard certificate private key to jeopardize the entire system. Once compromised, bad actors can impersonate all sites within the certificates scope and access users’ credentials and private information.

This danger is greatly increased by the ALPACA technique, a new style of web exploitation also known as Application Layer Protocols Allowing Cross-Protocol Attacks. It exploits hardened web applications through non-HTTP services that are secured by a TLS certificate whose scope matches the web application in question.

It is vital that web administrators assess their certificate environments and confirm their certificate usage, particularly if wildcard certificates are involved, does not allow cybercriminals the opportunity to exploit their network using the ALPACA technique.

How can I stay informed with the latest threat intelligence?

Today’s cybersecurity landscape is constantly changing, and the only way to protect your organization is to stay alert to ongoing and evolving threat intelligence. Following the Venafi Machine Identity Threat Model will allow you to become a machine identity threats pro! You can also subscribe to the Venafi Blog for all the latest breaking news and threat updates around encryption, machine identities, and more.

Related Posts

Like this blog? We think you will love this.
ip-spoofing
Featured Blog

What Is IP Spoofing?

What is IP Spoofing?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Alexa Hernandez
Alexa Hernandez

Alexa is the Web Marketing Specialist at Venafi.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more