The attack allows you to steal personal data or execute arbitrary JavaScript code in the context of a vulnerable web server.
The US National Security Agency has alerted organizations and companies to a new TLS attack called the Application Layer Protocol Content Confusion Attack (ALPACA). The NSA has urged organizations to follow technical guidelines and protect servers from scenarios where attackers can access and decrypt encrypted web traffic.
The NSA has highlighted the use of wildcard TLS certificates, which many security researchers have also warned about over the years. A wildcard certificate is a digital TLS certificate obtained by companies from CAs that allows the owner to apply it to a domain and all its subdomains at the same time (* .example.com).
Over the years, companies have used wildcard certificates to reduce cost and manageability because administrators can use the same certificate across all servers instead of managing different certificates for each subdomain.
However, this ease of use is also at risk, since an attacker only needs to break into the server and thus compromise the entire company network.
"An attacker who gains control of the private key associated with the wildcard certificate is able to impersonate any of the sites presented and gain access to the user's valid credentials and protected information," the NSA said.
The NSA report contains a warning about a new attack by ALPACA, recorded this summer. The attack allows an attacker to confuse web servers with multiple running protocols and force them to flag for encrypted HTTPS requests via unencrypted protocols such as FTP, email (IMAP, POP3) and others.
A successful attack "allows you to steal session cookies and other personal data of a user, or execute arbitrary JavaScript code in the context of a vulnerable web server, bypassing TLS and web application security."
More than 119,000 web servers were vulnerable to ALPACA attacks, experts said. The NSA is asking organizations to enable Application-Layer Protocol Negotiation (ALPN), which is an extension of TLS that prevents servers from responding to requests through prohibited protocols (such as FTP, IMAP, etc.).
The US National Security Agency has alerted organizations and companies to a new TLS attack called the Application Layer Protocol Content Confusion Attack (ALPACA). The NSA has urged organizations to follow technical guidelines and protect servers from scenarios where attackers can access and decrypt encrypted web traffic.
The NSA has highlighted the use of wildcard TLS certificates, which many security researchers have also warned about over the years. A wildcard certificate is a digital TLS certificate obtained by companies from CAs that allows the owner to apply it to a domain and all its subdomains at the same time (* .example.com).
Over the years, companies have used wildcard certificates to reduce cost and manageability because administrators can use the same certificate across all servers instead of managing different certificates for each subdomain.
However, this ease of use is also at risk, since an attacker only needs to break into the server and thus compromise the entire company network.
"An attacker who gains control of the private key associated with the wildcard certificate is able to impersonate any of the sites presented and gain access to the user's valid credentials and protected information," the NSA said.
The NSA report contains a warning about a new attack by ALPACA, recorded this summer. The attack allows an attacker to confuse web servers with multiple running protocols and force them to flag for encrypted HTTPS requests via unencrypted protocols such as FTP, email (IMAP, POP3) and others.
A successful attack "allows you to steal session cookies and other personal data of a user, or execute arbitrary JavaScript code in the context of a vulnerable web server, bypassing TLS and web application security."
More than 119,000 web servers were vulnerable to ALPACA attacks, experts said. The NSA is asking organizations to enable Application-Layer Protocol Negotiation (ALPN), which is an extension of TLS that prevents servers from responding to requests through prohibited protocols (such as FTP, IMAP, etc.).
