Security News

Researchers have disclosed a new type of attack that exploits misconfigurations in transport layer security servers to redirect HTTPS traffic from a victim's web browser to a different TLS service endpoint located on another IP address to steal sensitive information. The attacks have been dubbed ALPACA, short for "Application Layer Protocol Confusion - Analyzing and mitigating Cracks in tls Authentication," by a group of academics from Ruhr University Bochum, Münster University of Applied Sciences, and Paderborn University.

Researchers from three universities in Germany have identified a new TLS attack method that can allow a man-in-the-middle attacker to extract user data or execute arbitrary code. The new attack, dubbed ALPACA, has been described as an "Application layer protocol content confusion attack."

Academics from three German universities have found a vulnerability in the Transport Layer Security protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks. Because TLS does not bind TCP connections to the desired application layer protocol, there's an opportunity for a miscreant-in-the-middle attack to redirect TLS traffic to a different endpoint at another IP address or port.

Ten years ago, even the biggest and most popular online services in the world, such as Facebook, Gmail and Hotmail didn't use TLS all the time - it was thought to be too complicated, too slow, and not always necessary. These days we expect our web browsing to be protected by TLS all the time.

British infosec biz Sophos reckons just under half of malware traffic it saw in the wild during the opening three months of 2021 alone was using Transport Layer Security to encrypt both its command-and-control traffic and data exfiltration. He was open about this only being traffic observed by Sophos, meaning the true worldwide figure for TLS-encrypted malware traffic could differ.

Accedian announced that its cloud-native performance monitoring and analytics platform, Skylight, will include new decryption technology to ensure end-to-end visibility on encrypted network traffic. The technology supports all Transport Layer Security versions, including TLS 1.3, allowing customers to maintain the privacy and security of encryption while still gaining valuable insight into network traffic for performance monitoring and threat detection.

In an incident report published on Friday, Google said that a Google Voice outage affecting a majority of the telephone service's users earlier this month was caused by expired TLS certificates. During regular operation, voice calls made through Google Voice are controlled using the Session Initiation Protocol, with client devices immediately retrying their connection to the service once it breaks.

Mail Transfer Agent-Strict Transport Security is a relatively new standard that enables mail service providers the ability to enforce Transport Layer Security to secure SMTP connections and to specify whether the sending SMTP servers should refuse to deliver emails to MX hosts that that does not offer TLS with a reliable server certificate. SMTP TLS Reporting is a standard that enables reporting issues in TLS connectivity experienced by applications that send emails and detect misconfigurations.

The National Security Agency this week issued guidance for National Security System, Department of Defense, and Defense Industrial Base cybersecurity decision makers, system admins, and network security analysts to replace obsolete versions of the Transport Layer Security protocol. While older versions of the security protocols, namely SSL, TLS 1.0, and TLS1.1, have been deprecated in many existing online services and applications, there still are systems that rely on these insecure protocols, thus exposing entire networks.

"Network connections employing obsolete protocols are at an elevated risk of exploitation by adversaries. As a result, all systems should avoid using obsolete configurations for TLS and SSL protocols." The NSA's alert adds on to an existing collective push for updating TLS protocols, with some of the biggest standards bodies and regulators mandating that web server operators ensure they move to TLS 1.2 before the end of 2020.