BACKGROUND:
Researchers have discovered a new type of attack, dubbed ALPACA, that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information. An expert with XSOC Corp offers perspective.
Experts Comments
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.
Be part of our growing Information Security Expert Community (1000+), please register here.
The recently discovered "ALPACA" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption. As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it's original conception, we really begin to see the limits
.....Read MoreThe recently discovered "ALPACA" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption. As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it's original conception, we really begin to see the limits imposed by logistical stressors.
ALPACA exploits some rather common scenarios that are inherent when applying asymmetric (public/private) key security to systems with multiple subdomains. Utilizing a "wildcard" certificate for sub-domains is far more financially feasible and more approachable (logistically) for most organizations.
It is this very ‘convenience construct’ that enables attacks like ALPACA to be possible.
Much of the world continues to try and adapt asymmetric cryptography into something that will fit with newer and more elaborate system architectures. For example, we want all our point-to-point communications to be secured. We only want to buy one certificate. We don't want to be bothered with concepts like key-rotation or key-exchanges.
As demonstrated by this latest breach in security, we are again shown that the broader use of (E2E) security is still most effectively and securely achieved with symmetric encryption techniques.
The caveat (of course) being that symmetric key exchanges must be perfect in order to fully realize the power of symmetric security.
A fully symmetric transport-layer/application protocol that is performant enough to deliver on the needs of point-to-point transmissions could obviate the need for total reliance on TLS in the future.
Read LessLinkedin Message
@Richard Blech, Founder & CEO, provides expert commentary at @Information Security Buzz.
"The caveat (of course) being that symmetric key exchanges must be perfect...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-insight-on-alpaca-attack
Facebook Message
@Richard Blech, Founder & CEO, provides expert commentary at @Information Security Buzz.
"The caveat (of course) being that symmetric key exchanges must be perfect...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/expert-insight-on-alpaca-attack