Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are
also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify
or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:
Note also that using the http protocol is being deprecated by major web browser.
In the past, it has led to the following vulnerabilities:
There is a risk if you answered yes to any of those questions.
ssh as an alternative to telnet sftp, scp or ftps instead of ftp https instead of http SMTP over SSL/TLS or SMTP with STARTTLS instead of clear-text SMTP It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire application or system.
These clients from Apache commons net libraries are based on unencrypted protocols and are not recommended:
TelnetClient telnet = new TelnetClient(); // Sensitive FTPClient ftpClient = new FTPClient(); // Sensitive SMTPClient smtpClient = new SMTPClient(); // Sensitive
Unencrypted HTTP connections, when using okhttp library for instance, should be avoided:
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.CLEARTEXT) // Sensitive .build();
Use instead these clients from Apache commons net and JSch/ssh library:
JSch jsch = new JSch(); // Compliant
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
FTPSClient ftpsClient = new FTPSClient(true); // Compliant
}
else {
FTPSClient ftpsClient = new FTPSClient(); // Compliant
}
if(implicit) {
// implicit mode is considered deprecated but offer the same security than explicit mode
SMTPSClient smtpsClient = new SMTPSClient(true); // Compliant
}
else {
SMTPSClient smtpsClient = new SMTPSClient(); // Compliant
smtpsClient.connect("127.0.0.1", 25);
if (smtpsClient.execTLS()) {
// commands
}
}
Perform HTTP encrypted connections, with okhttp library for instance:
ConnectionSpec spec = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS) // Compliant .build();
No issue is reported for the following cases because they are not considered sensitive:
localhost