Insecure Network Communication
Fixing Cleartext Transmission
About Cleartext Transmission
What is Cleartext Transmission?
Cleartext transmission, also known as plaintext transmission, refers to the process of transmitting data over a network or communication channel without encryption or other security measures that protect the data from interception or unauthorized access.
In cleartext transmission, the data is transmitted in plain, human-readable format, which means that anyone who has access to the communication channel can read, intercept, or modify the data without any difficulty.
Cleartext transmission can occur in various communication protocols, such as HTTP, FTP, SMTP, and Telnet, and can affect various types of data, such as login credentials, credit card information, personal data, and other types of sensitive information.
Check out these videos for a high-level explanation:
Communication over cleartext protocol
Unprotected transport of sensitive information
Unprotected transport of credentials
What is the impact of Cleartext Transmission?
Cleartext transmission can lead to various security threats and risks, such as:
- Information disclosure: Cleartext transmission can expose sensitive or confidential information to unauthorized parties, such as passwords, credit card numbers, personal data, or other types of sensitive information.
- Man-in-the-middle attacks: Cleartext transmission can be intercepted by attackers who can eavesdrop on the communication channel, modify or steal the data, or impersonate the parties involved in the communication.
- Identity theft: Cleartext transmission can lead to identity theft, where attackers can use stolen personal data to assume the identity of victims and perform various malicious activities, such as financial fraud or unauthorized access to systems.
- Data tampering: Cleartext transmission can allow attackers to modify or inject false data into the communication channel, leading to data tampering, data corruption, or other types of malicious activities.
How to prevent Cleartext Transmission?
To prevent cleartext transmission, you can take the following steps:
- Use encryption: Encrypt sensitive data before transmitting it over any communication channel. Use encryption protocols such as SSL/TLS or HTTPS to ensure that data is encrypted in transit.
- Secure communication channels: Use secure communication channels such as SFTP, SSH, or VPNs to transmit sensitive data. These protocols provide encryption and authentication, which can help prevent unauthorized access and eavesdropping.
- Disable cleartext protocols: Disable cleartext protocols such as HTTP or FTP, and use only encrypted protocols such as HTTPS or SFTP to transmit sensitive data.
- Implement data validation: Implement data validation mechanisms to ensure that only valid data is transmitted. Validate user input and filter out any sensitive data before transmitting it.
References
Taxonomies
Related CVEs
Training
Option A: Use an encrypted communications channel
The communication channel used is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Do note, that it is common to not directly expose an Elixir application, but rather expose it through a load balancer which typically takes care of the secure HTTPS connection.
Go through the issues that GuardRails identified in the PR/MR.
Look for code like this in your
prod.exsconfiguration:config :exchat, Exchat.Endpoint,
http: [port: {:system, "PORT"}],
url: [host: "example.com", port: 80],
cache_static_manifest: "priv/static/manifest.json",
server: trueReplace it with:
config :exchat, Exchat.Endpoint,
http: [port: {:system, "PORT"}],
url: [scheme: "https", host: "path.to.app", port: 443],
force_ssl: [rewrite_on: [:x_forwarded_proto]],
cache_static_manifest: "priv/static/manifest.json",
secret_key_base: System.get_env("SECRET_KEY_BASE")More information on configuring HTTPS can be found here
Test it
Ship it 🚢 and relax 🌴