Expert Insight On ALPACA Attack

The recently discovered "ALPACA" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption.  As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it's original conception, we really begin to see the limits imposed by logistical stressors.

ALPACA exploits some rather common scenarios that are inherent when applying asymmetric (public/private) key security to systems with multiple subdomains. Utilizing a "wildcard" certificate for sub-domains is far more financially feasible and more approachable (logistically) for most organizations.

It is this very ‘convenience construct’ that enables attacks like ALPACA to be possible.

Much of the world continues to try and adapt asymmetric cryptography into something that will fit with newer and more elaborate system architectures. For example, we want all our point-to-point communications to be secured.  We only want to buy one certificate.  We don't want to be bothered with concepts like key-rotation or key-exchanges.

As demonstrated by this latest breach in security, we are again shown that the broader use of (E2E) security is still most effectively and securely achieved with symmetric encryption techniques.

The caveat (of course) being that symmetric key exchanges must be perfect in order to fully realize the power of symmetric security.

A fully symmetric transport-layer/application protocol that is performant enough to deliver on the needs of point-to-point transmissions could obviate the need for total reliance on TLS in the future.