Thursday, August 5, 2021

ALPACA – the wacky TLS safety vulnerability with a cool title – Bare Safety

TLS, short for Transport Layer Security, is an important part of online cybersecurity these days.

TLS is the data protection protocol that puts the padlock in your browser’s address bar, keeps your email encrypted while it’s being sent (probably), and prevents cybercrooks from casually substituting the software you download with malware and other nasties.

The TLS protocol works by:

  • Agreeing a one-time encryption key with the other end of the connection, to protect your data from snooping and surveillance.
  • Verifying the person or company operating the server at the other end, making it harder for crooks to set up fake sites to trick you.
  • Checking the integrity of data as it arrives, to stop other people on the network from tampering with the content along the way.

So, whenever a vulnerability is announced in TLS, given how much we rely on it, the announcement typically makes big headlines.

Amusingly, perhaps, that’s had a sort of circular effect, with researchers going out of their way to come up with names and logos for TLS vulnerabilities that encourage big headlines in the first place.

We jocularly call them BWAINs – an impressive name that’s short for bug with an impressive name – and examples include vulnerabilities dubbed BEAST, Heartbleed, Logjam, Lucky Thirteen, and now…

…the delightfully named ALPACA.

A real attack, but not too much of a danger

The good news is that ALPACA isn’t a terribly usable attack, and there are some fairly simple ways to ensure it doesn’t happen on your servers (and therefore, indirectly, to your visitors), so there isn’t a clear and present danger to online commerce because of it.

The bad news, of course, is that ALPACA is a vulnerability nevertheless, or more precisely a family of vulnerabilities, and it exists because we, as an internet community, haven’t been quite as careful or as precise as perhaps we should have been when setting up our servers to use TLS in the first place.