Connect with us

NSA warns of ALPACA attacks using wildcard TLS certificates

Published

on

The attack allows you to steal personal data or execute arbitrary JavaScript code in the context of a vulnerable web server.

U.S. National Security Agency warned organizations and companies about a new TLS attack called Application Layer Protocol Content Confusion Attack (ALPACA). The NSA has urged organizations to follow technical guidelines and protect servers from scenarios where attackers can access and decrypt encrypted web traffic.

The NSA has highlighted the use of wildcard TLS certificates, which many security researchers have also warned about over the years. A wildcard certificate is a digital TLS certificate obtained by companies from CAs that allows the owner to apply it to a domain and all its subdomains at the same time (* .example.com).

Over the years, companies have used wildcard certificates to reduce cost and manageability because administrators can use the same certificate across all servers instead of managing different certificates for each subdomain.

However, this ease of use is also at risk, since an attacker only needs to break into the server and thus compromise the entire company network.

“An attacker who gains control of the private key associated with the wildcard certificate is able to impersonate any of the sites presented and gain access to the user’s valid credentials and protected information,” the NSA said.

The NSA report contains a warning about a new attack by ALPACA, recorded this summer. The attack allows an attacker to confuse web servers with multiple running protocols and force them to flag for encrypted HTTPS requests via unencrypted protocols such as FTP, email (IMAP, POP3) and others.

The successful attack “allows you to steal session cookies and other personal data of a user, or execute arbitrary JavaScript code in the context of a vulnerable web server, bypassing TLS and web application security.”

More than 119,000 web servers were vulnerable to ALPACA attacks, experts said. The NSA is asking organizations to enable Application-Layer Protocol Negotiation (ALPN), which is an extension of TLS that prevents servers from responding to requests through prohibited protocols (such as FTP, IMAP, etc.).

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Chinese TikTok adds 5-second pauses between videos to combat addictions

Published

on

5-second warning clips will remind you to “put the phone away” or “go to bed”.

Douyin, the Chinese app “twin” of TikTok, owned by the same ByteDance company, is introducing measures to combat its own algorithms, tuned to keep users’ attention as long as possible. Now those who “stick” in the application for too long will be revived by forced pauses between clips. Reported by the South China Morning Post.

On the social network, there are five-second pauses between videos that cannot be missed. During such pauses, users will be forced to watch videos reminding them of the need to “put the phone away”, “go to bed” or that “work tomorrow”. They will appear when the user spends too much time in the application.

Previously, Douyin had already limited video viewing – then the changes affected the children’s audience. Teenagers under 14 were allowed to watch videos for a maximum of 40 minutes a day, and were also banned from entering the application from 10 pm to 6 am.

Continue Reading

Security

Trump’s social network developers accused of illegal use of program code

Published

on

The Software Freedom Conservancy claims Trump Media and Technology Group copied the open source code of the decentralized social network Mastodon, created a new social network based on it.

The Software Freedom Conservancy (SFC), a not-for-profit organization that enforces the rights of open source software developers and the rules for using open licenses, accused in violation of the AGPLv3 license of the Trump social network developers Truth Social.

The Software Freedom Conservancy says that the developers of the service used the open source code of the decentralized social network Mastodon in violation of the license agreement.

Although the Mastodon code is free and free, the projects using it must comply with the terms of the Affero General Public License (or AGPLv3), among which is the mandatory availability of the project source code for all its users. Trump’s media company does not yet provide such an opportunity to TRUTH Social users and calls the social network a proprietary development.

The Software Freedom Conservancy gave Trump Media and Technology Group 30 days to improve, writes The Verge. Otherwise, the use of open source Mastodon will be prohibited for the company.

Continue Reading

Security

Facebook end-to-end encryption will give foreign intelligence services surveillance capabilities

Published

on

Former Facebook employee Frances Haugen criticized the company’s decision to transfer correspondence in its services to end-to-end encryption.

The introduction of end-to-end encryption in Facebook messengers could negatively affect the privacy of users and lead to increased surveillance by intelligence agencies. This opinion was expressed by a former employee of Mark Zuckerberg’s company, Frances Haugen, reports TASS.

According to her, after the launch of encryption in the Messenger application and the social network Instagram, which are owned by Facebook, the company will lose the ability to track possible “malicious operations of special services representatives.” “End-to-End Encryption Will Allow Facebook to Eliminate [от модерирования контента] and serve as an excuse for inaction, “Haugen said ahead of her October 25 speech in the British Parliament as part of discussions on online security bill.

The social network itself does not agree with this point of view. In their opinion, the introduction of end-to-end encryption in Facebook Messenger and Instagram applications, on the contrary, is aimed primarily at protecting the privacy of users and will protect them not only from foreign surveillance, but also from hackers.

Continue Reading

Most Popular