Insecure Network Communication

Fixing Insecure Network Communication

About Cleartext Transmission

What is Cleartext Transmission?

Cleartext transmission, also known as plaintext transmission, refers to the process of transmitting data over a network or communication channel without encryption or other security measures that protect the data from interception or unauthorized access.

In cleartext transmission, the data is transmitted in plain, human-readable format, which means that anyone who has access to the communication channel can read, intercept, or modify the data without any difficulty.

Cleartext transmission can occur in various communication protocols, such as HTTP, FTP, SMTP, and Telnet, and can affect various types of data, such as login credentials, credit card information, personal data, and other types of sensitive information.

Check out these videos for a high-level explanation:

• Communication over cleartext protocol

• Unprotected transport of sensitive information

• Unprotected transport of credentials

What is the impact of Cleartext Transmission?

Cleartext transmission can lead to various security threats and risks, such as:

• Information disclosure: Cleartext transmission can expose sensitive or confidential information to unauthorized parties, such as passwords, credit card numbers, personal data, or other types of sensitive information.
• Man-in-the-middle attacks: Cleartext transmission can be intercepted by attackers who can eavesdrop on the communication channel, modify or steal the data, or impersonate the parties involved in the communication.
• Identity theft: Cleartext transmission can lead to identity theft, where attackers can use stolen personal data to assume the identity of victims and perform various malicious activities, such as financial fraud or unauthorized access to systems.
• Data tampering: Cleartext transmission can allow attackers to modify or inject false data into the communication channel, leading to data tampering, data corruption, or other types of malicious activities.

How to prevent Cleartext Transmission?

To prevent cleartext transmission, you can take the following steps:

• Use encryption: Encrypt sensitive data before transmitting it over any communication channel. Use encryption protocols such as SSL/TLS or HTTPS to ensure that data is encrypted in transit.
• Secure communication channels: Use secure communication channels such as SFTP, SSH, or VPNs to transmit sensitive data. These protocols provide encryption and authentication, which can help prevent unauthorized access and eavesdropping.
• Disable cleartext protocols: Disable cleartext protocols such as HTTP or FTP, and use only encrypted protocols such as HTTPS or SFTP to transmit sensitive data.
• Implement data validation: Implement data validation mechanisms to ensure that only valid data is transmitted. Validate user input and filter out any sensitive data before transmitting it.

References

Taxonomies

• OWASP Top 10 - A02 Cryptographic Failures
• CWE-319: Cleartext Transmission of Sensitive Information

Related CVEs

• CVE Details: CWE-319

Training

• Secure Code Warrior: Communication Over Cleartext Protocol
• Secure Code Warrior: Unprotected Transport of Credentials
• Secure Code Warrior: Unprotected Transport of Sensitive Information

Option A: Use an encrypted communications channel

The communication channel used is not encrypted. The traffic could be read by an attacker intercepting the network traffic.

1. Go through the issues that GuardRails identified in the PR/MR.

2. Look for code like this:

   public without sharing class Foo {
       void foo() {
           HttpRequest req = new HttpRequest();
           req.setEndpoint('http://example.com');
       }
   }

3. Replace it with the secure HTTPS alternative:

   public without sharing class Foo {
       void foo() {
           HttpRequest req = new HttpRequest();
           req.setEndpoint('https://example.com');
       }
   }

4. Test it

5. Ship it 🚢 and relax 🌴