Clear-text protocols as ftp, telnet or non secure http are lacking encryption of transported data. They are also missing the capability to build an authenticated connection. This mean that any attacker who can sniff traffic from the network can read, modify or corrupt the transported content. These protocol are not secure as they expose applications to a large range of risk:

Note also that using the http protocol is being deprecated by major web browser.

In the past, it has led to the following vulnerabilities:

Ask Yourself Whether

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

It is recommended to secure all transport channels (event local network) as it can take a single non secure connection to compromise an entire application or system.

Sensitive Code Example

url = "http://example.com"; // Sensitive
url = "ftp://anonymous@example.com"; // Sensitive
url = "telnet://anonymous@example.com"; // Sensitive

For nodemailer:

const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
  secure: false, // Sensitive
  requireTLS: false // Sensitive
});
const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({}); // Sensitive

For ftp:

var Client = require('ftp');
var c = new Client();
c.connect({
  'secure': false // Sensitive
});

For telnet-client:

const Telnet = require('telnet-client'); // Sensitive

Compliant Solution

url = "https://example.com"; // Compliant
url = "sftp://anonymous@example.com"; // Compliant
url = "ssh://anonymous@example.com"; // Compliant

For nodemailer one of the following options must be set:

const nodemailer = require("nodemailer");
let transporter = nodemailer.createTransport({
  secure: true, // Compliant
  requireTLS: true, // Compliant
  port: 465, // Compliant
  secured: true // Compliant
});

For ftp:

var Client = require('ftp');
var c = new Client();
c.connect({
  'secure': true // Compliant
});

Exceptions

No issue is reported for the following cases because they are not considered sensitive:

See