The NSA recently published “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique”, a cybersecurity information sheet aiming to better secure the Department of Defense (DoD), National Security Systems (NSS), and Defense Industrial Base (DIB). These guidelines warn network administrators of the inherent risks of poorly implemented wildcard TLS certificates, along with recommended actions to secure these servers. These recommendations come with the goal of protecting critical systems from a new web exploitation technique known as ALPACA.
A wildcard certificate is a single public key certificate, like TLS certificates, that secures all first-level subdomains. There are many risks involved with using wildcard certificates, but the most pressing one danger is that means there is just one private key used across all systems. Your entire network can be compromised by just one private key falling prey to a phishing attack, malware, or other form of cyber-attack.
One of the benefits that drives network administrators to use wildcard certificates is that using one certificate to authenticate multiple servers greatly simplifies credential management, saving time and money. As stated above, however, a malicious threat actor only must gain unauthorized access to one wildcard certificate private key to jeopardize the entire system. Once compromised, bad actors can impersonate all sites within the certificates scope and access users’ credentials and private information.
This danger is greatly increased by the ALPACA technique, a new style of web exploitation also known as Application Layer Protocols Allowing Cross-Protocol Attacks. It exploits hardened web applications through non-HTTP services that are secured by a TLS certificate whose scope matches the web application in question.
It is vital that web administrators assess their certificate environments and confirm their certificate usage, particularly if wildcard certificates are involved, does not allow cybercriminals the opportunity to exploit their network using the ALPACA technique.
Today’s cybersecurity landscape is constantly changing, and the only way to protect your organization is to stay alert to ongoing and evolving threat intelligence. Following the Venafi Machine Identity Threat Model will allow you to become a machine identity threats pro! You can also subscribe to the Venafi Blog for all the latest breaking news and threat updates around encryption, machine identities, and more.