Clear-text protocols as
telnet or non secure
http are lacking encryption of transported data. They are
also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify
or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:
- Sensitive data exposure
- Traffic redirected to a malicious endpoint
- Malware infected software update or installer
- Execution of client side code
- Corruption of critical information
Note also that using the
http protocol is being deprecated by major web browser.
In the past, it has led to the following vulnerabilities:
Ask Yourself Whether
- The confidentiality and integrity of data is necessary in the context of the web application.
- The data is exchanged on an exposed network (Internet, public network etc).
- Your application renders web pages with a relaxed mixed content policy.
- OS level protections against clear-text traffic are deactivated.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
ssh as an alternative to
ftps instead of
https instead of
STARTTLS instead of clear-text SMTP
- Configure your application to block mixed content when rendering web pages.
- If available, enforce OS level deativation of all clear-text traffic
It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire
application or system.
Sensitive Code Example
char* http_url = "http://example.com"; // Sensitive
char* ftp_url = "ftp://firstname.lastname@example.org"; // Sensitive
char* telnet_url = "telnet://email@example.com"; // Sensitive
CURL *curl_ftp = curl_easy_init();
curl_easy_setopt(curl_ftp, CURLOPT_URL, "ftp://example.com/"); // Sensitive
CURL *curl_smtp = curl_easy_init();
curl_easy_setopt(curl_smtp, CURLOPT_URL, "smtp://example.com:587"); // Sensitive
char* https_url = "https://example.com" # Compliant
char* sftp_url = "sftp://firstname.lastname@example.org" # Compliant
char* ssh_url = "ssh://email@example.com" # Compliant
CURL *curl_ftps = curl_easy_init();
curl_easy_setopt(curl_ftps, CURLOPT_URL, "ftp://example.com/"); // Compliant
curl_easy_setopt(curl_ftps, CURLOPT_USE_SSL, CURLUSESSL_ALL); // FTP transport is done over TLS
CURL *curl_smtp_tls = curl_easy_init();
curl_easy_setopt(curl_smtp_tls, CURLOPT_URL, "smtp://example.com:587"); // Compliant
curl_easy_setopt(curl_smtp_tls, CURLOPT_USE_SSL, CURLUSESSL_ALL); // SMTP with STARTTLS
No issue is reported for the following cases because they are not considered sensitive:
- Insecure protocol scheme followed by loopback addresses like 127.0.0.1 or