The NSA has issued a technical advisory this week warning organizations against the use of wildcard TLS certificates and the new ALPACA TLS attack.
Their are infinite ways an attacks that could help attackers decrypt TLS-encrypted traffic, the NSA specifically highlighted the use of wildcard TLS certificates, something that multiple security researchers have also warned against throughout the years.
A wildcard certificate is a digital TLS certificate obtained by companies from certificate authorities that allow the owner to apply it to a domain and all its subdomains at the same time (*.domain.com).
Organization have used wildcard certificates because of reduced costs and because they are easier to manage, as administrators can apply the same certificate across all servers instead of having to manage a different one for each subdomain.
A malicious threat actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.The agency is now urging administrators of both public and private networks to assess the need to use a wildcard certificate inside their networks and prepare to deploy individual certificates in order to isolate and limit possible compromises.
The advisory also comes with a warning about the new Application Layer Protocol Content Confusion Attack (ALPACA), attack allows a threat actor to confuse web servers that run multiple protocols to respond to encrypted HTTPS requests via unencrypted protocols, such as FTP, email (IMAP, POP3), and others.
The issue was not taken seriously because executing an ALPACA attack required that threat actors be in a position to intercept web traffic, something that is difficult in some scenarios, more than 119,000 web servers were vulnerable to ALPACA attacks, which was quite a considerable number.
The organizations to enable Application-Layer Protocol Negotiation (ALPN), which is a TLS extension that prevents servers from responding to requests via non-allowed protocols.
The move comes after Google also implemented ALPACA defenses inside Chrome web browser earlier this year.