This ALPACA Spits On Your Transport Layer Security
Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication?
You can see why the researchers from the three universities which discovered this new flaw in TLS quickly picked an acronym that will stick; if they hadn’t you can bet someone else would. Unfortunately the moniker is the only cute thing about this post, there are well over a million webservers that are currently vulnerable to this attack. The flaw is not easy to take advantage of, but then again it is not easy to fix as it rises from a combination of programs and protocols.
The list of programs that are involved in this vulnerability is incredibly long, including Sendmail SMTP, IMAP, Microsoft IIS, and FileZilla Server to name a few; you can see the full list at The Register. There is a process by which an attacker could extract session cookies or other personal data from an HTTPS session and are also able to use it to execute JavaScript programs you would much rather not run.
The steps required to resolve the issue will also mean breaking legacy applications, to mitigate the base vulnerability Application Layer Protocol Negotiation and Server Name Indication extensions will need to move to TLS traffic. This suggests that the flaw will be with us for a bit.
Academics from three German universities have found a vulnerability in the Transport Layer Security (TLS) protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks.
More Tech News From Around The Web
- Injection-Molded Glass Breakthrough Shatters Ceiling Of Work Methods @ Hackaday
- The Vivaldi Browser Now Has Mail, Calendar, and An RSS Reader Built-In @ Slashdot
- ‘Universal Processor’ startup Tachyum unveils full-system Prodigy emulator ahead of sampling later this year @ The Register
- Final Weekend For Display Challenge Of The Hackaday Prize @ Hackaday
