National Security Agency warns of Wildcard TLS Certificates and the ALPACA Technique

Wildcard certificates are often used to authenticate multiple servers, saving organizations time and money. Wildcard certificates have legitimate uses, but can confer risk from poorly secured servers to other servers in the same certificate’s scope.

A new style of web application exploitation, dubbed “ALPACA,” increases the risk from using broadly scoped wildcard certificates to verify server identities during the Transport Layer Security (TLS) handshake. Application Layer Protocols Allowing Cross-Protocol Attack (ALPACA) is a technique used to exploit hardened web applications through nonHTTP (Hypertext Transfer Protocol) services secured using the same or a similar TLS certificate. This Cybersecurity Information Sheet details the risks from wildcard certificates and ALPACA, and provides mitigations for both.

Administrators should assess their environments to ensure that their certificate usage, especially the use of wildcard certificates, does not create unmitigated risks, and in particular, that their organizations’ web servers are not vulnerable to ALPACA techniques.

ALPACA is a complex class of exploitation techniques that can take many forms. Administrators are encouraged to read the full ALPACA whitepaper for additional details.

Further details – https://media.defense.gov/2021/Oct/07/2002869955/-1/-1/0/CSI_AVOID%20DANGERS%20OF%20WILDCARD%20TLS%20CERTIFICATES%20AND%20THE%20ALPACA%20TECHNIQUE_211007.PDF