Attack of the Alpacas

Attack of the Alpacas

How to find them in your environment

The National Security Agency (NSA) last week issued a technical advisory warning against the use of wildcard TLS certificates due to a specific vulnerability known as the Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA). 

Wildcard certificates are commonly deployed by administrators as a way to configure TLS certificates for all subdomains without having to create individual certificates. Normally, every subdomain of a URL (for example “” or “”) requires an individual TLS certificate. Instead of setting up multiple certificates for multiple subdomains, the administrator would use a wildcard (for example “*”) to make one digital certificate apply to every subdomain of the URL. 

The issue with this approach is that the wildcard certificate will be deployed across many servers in the environment for each subdomain.  Along with this certificate accompanies the certificate’s private key.  If any one of these servers is compromised and the attacker gains control of that private key, they gain control over all domains for that wildcard certificate.

As the NSA wrote in their statement, “A malicious cyber actor who gains control of the private key associated with a wildcard certificate will provide them the ability to impersonate any of the sites represented, and gain access to valid user credentials and protected information.” When these credentials are compromised, the system is vulnerable to an application layer protocol content confusion attack (ALPACA), where hackers redirect traffic from one subdomain to another and steal private user data in the process. 

Going forward, the best practice is to have one TLS/SSL certificate per subdomain. However, with so many certificates in an IT environment, it can be a challenge for administrators to identify and catalog everything. 

Device42 Certificate Discovery provides a way to find all of the TLS certificates deployed in an environment, identify their details, which servers they are deployed on, and their expiration dates.  This can be a key tool to locate any wildcard certificates and the servers on which they are deployed so IT teams can work on remediating these before they are attacked.

Register for a free demo or download a trial version to learn more about Device42 and Certificate Discovery.

Share this post

About the author