78.5 F
Washington D.C.
Saturday, October 16, 2021
spot_img

NSA: Avoid Dangers of Wildcard TLS Certificates, the ALPACA Technique

NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks.

NSA released the Cybersecurity Information Sheet, “Avoid Dangers of Wildcard TLS Certificates and the ALPACA Technique” today, warning network administrators about the risks of using poorly scoped wildcard Transport Layer Security (TLS) certificates. NSA recommends several actions web administrators should take to keep their servers secure. This guidance also outlines the risks of falling victim to a web application exploitation method called Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA), which malicious cyber actors can use to access sensitive information.

NSA is releasing this guidance as part of our mission to help secure the Department of Defense (DoD), National Security Systems (NSS) and Defense Industrial Base (DIB). Administrators should assess their environments and mitigate wildcard certificates and ALPACA risks.

Wildcard certificates are used to authenticate multiple servers and simplify credential management, saving time and money. However, if one server hosting a wildcard certificate is compromised, all other servers that can be represented by the wildcard certificate are put at risk. A malicious cyber actor with a wildcard certificate’s private key can impersonate any of the sites within the certificate’s scope and gain access to user credentials and protected information.

The ALPACA technique, which exploits hardened web applications through non-HTTP services secured using a TLS certificate whose scope matches the web application, further increases the risk of using poorly scoped wildcard certificates.

NSA recommends NSS, DoD, and DIB administrators ensure their organization’s wildcard certificate usage does not create unmitigated risks, making their web servers vulnerable to ALPACA techniques. The Cybersecurity Information Sheet provides mitigations for poorly implemented certificates and ALPACA, including:

  • Understanding the scope of each wildcard certificate used in your organization
  • Using an application gateway or web application firewall in front of servers, including non-HTTP servers
  • Using encrypted DNS and validating DNS security extensions to prevent DNS redirection
  • Enabling Application-Layer Protocol Negotiation (APLN), a TLS extension that allows the server/application to specify permitted protocols where possible
  • Maintaining web browsers at the latest version with current updates

For more details on how to harden wildcard certificates against the ALPACA technique, read the full information sheet.

For additional cybersecurity guidance, visit https://www.nsa.gov/Press-Room/Cybersecurity-Advisories-Guidance/.

Read more at NSA

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

STAY CONNECTED

- Advertisement -

Latest Articles