This ALPACA Spits On Your Transport Layer Security 1

This ALPACA Spits On Your Transport Layer Security

General Tech
Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
This ALPACA Spits On Your Transport Layer Security 2

Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication?

You can see why the researchers from the three universities which discovered this new flaw in TLS quickly picked an acronym that will stick; if they hadn’t you can bet someone else would.  Unfortunately the moniker is the only cute thing about this post, there are well over a million webservers that are currently vulnerable to this attack.  The flaw is not easy to take advantage of, but then again it is not easy to fix as it rises from a combination of programs and protocols.

The list of programs that are involved in this vulnerability is incredibly long, including Sendmail SMTP, IMAP, Microsoft IIS, and FileZilla Server to name a few; you can see the full list at The Register.  There is a process by which an attacker could extract session cookies or other personal data from an HTTPS session and are also able to use it to execute JavaScript programs you would much rather not run.

The steps required to resolve the issue will also mean breaking legacy applications, to mitigate the base vulnerability Application Layer Protocol Negotiation and Server Name Indication extensions will need to move to TLS traffic.  This suggests that the flaw will be with us for a bit.