Expert Insight On ALPACA Attack

BACKGROUND:

Researchers have discovered a new type of attack, dubbed ALPACA, that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information. An expert with XSOC Corp offers perspective.

Experts Comments

June 16, 2021
Richard Blech
Founder & CEO
XSOC CORP

The recently discovered "ALPACA" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption.  As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it's original conception, we really begin to see the limits

.....Read More

The recently discovered "ALPACA" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption.  As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it's original conception, we really begin to see the limits imposed by logistical stressors.

 

ALPACA exploits some rather common scenarios that are inherent when applying asymmetric (public/private) key security to systems with multiple subdomains. Utilizing a "wildcard" certificate for sub-domains is far more financially feasible and more approachable (logistically) for most organizations.

 

It is this very ‘convenience construct’ that enables attacks like ALPACA to be possible.

 

Much of the world continues to try and adapt asymmetric cryptography into something that will fit with newer and more elaborate system architectures. For example, we want all our point-to-point communications to be secured.  We only want to buy one certificate.  We don't want to be bothered with concepts like key-rotation or key-exchanges.

    

As demonstrated by this latest breach in security, we are again shown that the broader use of (E2E) security is still most effectively and securely achieved with symmetric encryption techniques.

 

The caveat (of course) being that symmetric key exchanges must be perfect in order to fully realize the power of symmetric security.

 

A fully symmetric transport-layer/application protocol that is performant enough to deliver on the needs of point-to-point transmissions could obviate the need for total reliance on TLS in the future.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.