Researchers have discovered a new type of attack, dubbed ALPACA, that exploits misconfigurations in transport layer security (TLS) servers to redirect HTTPS traffic from a victim’s web browser to a different TLS service endpoint located on another IP address to steal sensitive information. An expert with XSOC Corp offers perspective.
<p>The recently discovered \"ALPACA\" attack is a reproducible weakness in the TLS security scheme that commonly provides encryption security to websites, email, file-transfer, and more. The entire evolution and perpetually increasing complexity of the TLS platform is centered around plugging holes in natively fragile asymmetric encryption. As the needs and use-cases for asymmetric encryption continue to become stretched well beyond it\’s original conception, we really begin to see the limits imposed by logistical stressors.</p> <p> </p> <p>ALPACA exploits some rather common scenarios that are inherent when applying asymmetric (public/private) key security to systems with multiple subdomains. Utilizing a \"wildcard\" certificate for sub-domains is far more financially feasible and more approachable (logistically) for most organizations.</p> <p> </p> <p>It is this very ‘convenience construct’ that enables attacks like ALPACA to be possible.</p> <p> </p> <p>Much of the world continues to try and adapt asymmetric cryptography into something that will fit with newer and more elaborate system architectures. For example, we want all our point-to-point communications to be secured. We only want to buy one certificate. We don\’t want to be bothered with concepts like key-rotation or key-exchanges.</p> <p> </p> <p>As demonstrated by this latest breach in security, we are again shown that the broader use of (E2E) security is still most effectively and securely achieved with symmetric encryption techniques.</p> <p> </p> <p>The caveat (of course) being that symmetric key exchanges must be perfect in order to fully realize the power of symmetric security.</p> <p> </p> <p>A fully symmetric transport-layer/application protocol that is performant enough to deliver on the needs of point-to-point transmissions could obviate the need for total reliance on TLS in the future.</p>