NSA Warns Of Wildcard TLS Certificate Dangers, Expert Reacted

By   ISBuzz Team
Writer , Information Security Buzz | Oct 18, 2021 03:15 am PST


The NSA is warning organizations to avoid using wildcard digital encryption certificates in order to minimize the risk from a new form of TLS traffic decryption attacks, dubbed “ALPACA.”
This attack, discovered in June, allows threat actors to confuse machine identities that run multiple protocols and trick servers to respond to encrypted HTTPS requests through unencrypted protocols. These unencrypted responses offer a means for cybercriminals to steal cookies and private user data.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Murali Palanisamy
Murali Palanisamy , Chief Solutions Officer
October 18, 2021 11:16 am

<div>Certificates are the foundation to digital security. Any compromise of a digital certificate can result in a catastrophic event such as a system outage or data breach — ultimately impacting the reputation, data security, and trust in the organization. With this in mind, enterprises and organizations should evaluate the risk that they are taking by using the same wildcard TLS certificate across multiple applications.</div>
<div> </div>
<div>One of the main reasons organizations use wildcards is to simplify management and reduce domain costs. Instead of creating one certificate per domain, organizations can just procure one wild card cert and apply it wherever needed and during renewal they can just update with the new certificate.This is effective for smaller organizations or limited number of exposed domains, but if the applications are distributed across then securing the certificates becomes a challenge and also exposes to a new attack dubbed Application Layer Protocols Allowing Cross-Protocol Attack (ALPACA). </div>
<div> </div>
<div>To help prevent ALPACA attacks from happening, organizations must first confirm there are no known or unknown vulnerabilities in all digital applications, which is not easy to achieve. Then, they have two options: </div>
<li>Secure all the deployments that use the wildcard certificates, automate deployment and secure the digital keys – typically with a software or hardware security module (HSM) or something similar to ensure no one can access them. </li>
<li>Use separate digital certificates for each application domain and secure the keys and applications. To easily manage the certificates and better keep digital assets safe, there are solutions like certificate lifecycle management platforms to automate deployments.</li>

Last edited 2 years ago by Murali Palanisamy

Recent Posts

Would love your thoughts, please comment.x