Security News > 2021 > June > ALPACA – the wacky TLS security vulnerability with a funky name
The bad news, of course, is that ALPACA is a vulnerability nevertheless, or more precisely a family of vulnerabilities, and it exists because we, as an internet community, haven't been quite as careful or as precise as perhaps we should have been when setting up our servers to use TLS in the first place.
The researchers discovered that millions of network domains out there not only use TLS on multiple servers for multiple different purposes, such as securing both HTTP and SMTP, but also often fail to keep the verification part of the TLS process separate for the different services they offer.
The problem is that TLS secures the raw data that gets transported across the connection it's protecting, and verifies the name of the server it's been asked to connect to, but it doesn't formally verify the actual application that's running at each end of the link, or determine the validity of the data that's being exchanged.
Except for one thing: the browser thinks it's connected to the real web server, and it made that decision because it was presented with a TLS certificate that would have been valid for the web server, if indeed that's where it had ended up.
Your browser ends up trusting the wrong server, and talking to it in the wrong sort of language, but is nevertheless able to pull off some sort of harmful security bypass without directly hacking any of the servers themselves.
TLS therefore now allows the client to specify up front which service it plans to use on the server it's connecting to, using a feature known as SNI. The server typically uses the SNI information to decide which TLS certificate to send out to verify the connection that's being made.