This ALPACA Spits On Your Transport Layer Security

Source: The Register This ALPACA Spits On Your Transport Layer Security

Application Layer Protocol Confusion – Analyzing and Mitigating Cracks in TLS Authentication?

You can see why the researchers from the three universities which discovered this new flaw in TLS quickly picked an acronym that will stick; if they hadn’t you can bet someone else would.  Unfortunately the moniker is the only cute thing about this post, there are well over a million webservers that are currently vulnerable to this attack.  The flaw is not easy to take advantage of, but then again it is not easy to fix as it rises from a combination of programs and protocols.

The list of programs that are involved in this vulnerability is incredibly long, including Sendmail SMTP, IMAP, Microsoft IIS, and FileZilla Server to name a few; you can see the full list at The Register.  There is a process by which an attacker could extract session cookies or other personal data from an HTTPS session and are also able to use it to execute JavaScript programs you would much rather not run.

The steps required to resolve the issue will also mean breaking legacy applications, to mitigate the base vulnerability Application Layer Protocol Negotiation and Server Name Indication extensions will need to move to TLS traffic.  This suggests that the flaw will be with us for a bit.

Academics from three German universities have found a vulnerability in the Transport Layer Security (TLS) protocol that under limited circumstances allows the theft of session cookies and enables cross-site scripting attacks.

Video News

About The Author

Jeremy Hellstrom

Call it,, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!