Skip to main content
banner image
venafi logo

Wildcard Certificates May Lead to TLS Vulnerabilities

Wildcard Certificates May Lead to TLS Vulnerabilities

June 21, 2021 | Anastasios Arampatzis

We have often elaborated that while wildcard certificates might make encryption easier to secure multiple domains, they introduce many blind spots jeopardizing overall corporate security.

The ALPACA attack

New research by three German Universities has discovered that TLS is vulnerable to certificate confusion where wildcard or multi-domain certificates have been deployed. Dubbed ALPACA, Application Layer Protocol Confusion—Analyzing and Mitigating Cracks in TLS Authentication, the researchers’ findings are described in an academic paper that's scheduled to be presented in August at Black Hat USA 2021 and the USENIX Security Symposium 2021.

According to the research, adversaries can launch man-in-the-middle (MitM) attacks to redirect TLS traffic to a different endpoint because TLS is independent from the application layer and does not bind TCP connections to the desired application protocol (e.g., HTTP, SMTP, IMAP, POP3, and FTP).

"We show that in realistic scenarios, the attacker can extract session cookies and other private user data or execute arbitrary JavaScript in the context of the vulnerable web server, therefore bypassing TLS and web application security," the paper explains. Although such an attack was first described 20 years ago by Jochen Topf, with browsers sending arbitrary data to any TCP port using HTML forms, it is the ALPACA paper that details how this technique can be used across multiple protocols.

The researchers from the German Universities demonstrated that when an MitM attack is under way, a website controlled by the attackers could initiate a cross-origin HTTPS request with a malicious FTP payload. By redirecting the request to an FTP server with a certificate that is compatible with the web server, such as a wildcard certificate, the attacker could set a specific cookie, download a malicious JavaScript file, or reflect malicious JavaScript in the request.

The researchers demonstrated that their technique works by registering an account with email provider Mailfence. However, they say they found similar exploitable issues at a major Bitcoin exchange, the website of a large university, and the Government of India's webmail service. In total, the researchers identified 1.4 million web servers that are potentially vulnerable to protocol confusion and 119,000 of these that are open to attack by an exploitable application server.

“Cross-protocol attacks are a familiar and devastating category of attacks made famous by such threats as the DROWN attack of 2016 and many others,” says Pratik Savla, lead security engineer at Venafi. “In this class of attacks, a threat actor enables a client to initiate a transaction in one protocol but towards the server that knows a different protocol. An attacker might take advantage of this scenario and make such a transaction appear as a valid transaction in the second protocol.” 

Although the researchers argue that ALPACA attack is difficult to be implemented because it requires a number of prerequisites and depends on the complicated interplay between applications, protocols, and browsers, it should not be ignored. To mitigate this threat, they suggest implementing Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI) extensions to TLS as a barrier to cross-protocol attacks. However, the downside to this suggestion is that deploying these protections could shut out legacy clients and servers that haven't been updated yet.

CA/B Forum prohibits HTTP validation for wildcard certificates

At the same time, Mozilla and the CA/B Forum are mandating that wildcard certificates will be prohibited for domains validated with the HTTP method. The justification behind this decision is that the use of such certificates prohibit the HTTP validation method from verifying domain control.

The HTTP domain validation method (officially known as method 6, Agreed-Upon Change to Website) demonstrates control over a domain by placing a file at a specific directory of the website. However, websites do not have the same level of controls as DNS has, where there is a formal delegation of permissions from the domain to subdomains. If, protected by a wildcard certificate, gets compromised or impersonated, the attackers can use the compromised certificates to further launch subdomains that can be different entities like phishing sites.

As a result, Mozilla and the CA/B Forum are mandating that issuance of wildcard certificates containing domains validated with the HTTP method be limited to issuance of exactly the validated domain. This decision will impact customers since it’s a common method used for domain validation. If they still want to continue using this method, then they must validate each SAN:DNSName individually.


“This research lays bare (even though a bit tangentially) as well as reinforces the extreme vulnerability that wildcard certificate usage can lead to for organizations,” notes Savla. “Companies should keep in mind that the more extensively wildcard certificates are used in their environment, the more it could result in the widening of the attack surface. And any added reactionary approach would only serve to prolong security incident response.”

Before using wildcard certificates, you should make sure you understand the value and the risks of these certificates. After all, you don’t want to see your organization’s name associated with a phishing attack. A compromised wildcard certificate can lead to serious repercussions. But you can avoid (or at least mitigate) the potential impact of an attack by using short-lived, non-wildcard certificates.

Related posts

Like this blog? We think you will love this.
what is an ssl certificate
Featured Blog

What is an X.509 Digital Certificate?

SSL/TLS certificates are X.509 certificates with Extended Key Usage: Server Authentication (1.3.6

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more