Insecure Network Communication

Why is this important?

Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.

Check out this video for a high-level explanation:

Insufficient Transport Layer Protection

Fixing Insecure Network Communication

Option A: Disable Insecure Verification of SSL/TLS

  1. Go through the issues that GuardRails identified in the PR.
  2. Replace InsecureSkipVerify: true:

     package main
     import (
         "crypto/tls"
         "fmt"
         "net/http"
     )
     func main() {
         tr := &http.Transport{
             // This is the insecure setting, it should be set to false.
             TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
         }
         client := &http.Client{Transport: tr}
         _, err := client.Get("https://golang.org/")
         if err != nil {
             fmt.Println(err)
         }
     }
    

    with InsecureSkipVerify: false:

     // Ensure that you have a valid certificate
     // Free certificates at available at https://letsencrypt.org/
     TLSClientConfig: &tls.Config{InsecureSkipVerify: false},
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

Option B: Set TLS Min and Max Version to Secure Values

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for MinVersion and MaxVersion:

     package main
     import (
         "crypto/tls"
         "fmt"
         "net/http"
     )
     func main() {
         tr := &http.Transport{
             TLSClientConfig: &tls.Config{
                 // These are the insecure lines
                 MinVersion: 0,
                 MinVersion: 0},
         }
         client := &http.Client{Transport: tr}
         _, err := client.Get("https://golang.org/")
         if err != nil {
             fmt.Println(err)
         }
     }
    

    and replace them with the correct values:

         package main
     import (
         "crypto/tls"
         "fmt"
         "net/http"
     )
     func main() {
         tr := &http.Transport{
             TLSClientConfig: &tls.Config{
                 // Remove MaxVersion, because the following line is sufficient.
                 MinVersion: tls.VersionTLS12
                 },
         }
         client := &http.Client{Transport: tr}
         _, err := client.Get("https://golang.org/")
         if err != nil {
             fmt.Println(err)
         }
     }
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

Option C: Set Secure CipherSuite Values

  1. Go through the issues that GuardRails identified in the PR.
  2. Look for CipherSuites:

     package main
     import (
         "crypto/tls"
         "fmt"
         "net/http"
     )
     func main() {
         tr := &http.Transport{
             // This is an example of insecure CipherSuites
             TLSClientConfig: &tls.Config{CipherSuites: []uint16{
                             tls.TLS_RSA_WITH_RC4_128_SHA,
                             tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                             },},
         }
         client := &http.Client{Transport: tr}
         _, err := client.Get("https://golang.org/")
         if err != nil {
             fmt.Println(err)
         }
     }
    

    replace them with the correct values:

     package main
     import (
         "crypto/tls"
         "fmt"
         "net/http"
     )
     func main() {
         tr := &http.Transport{
             // This is an example of secure CipherSuites
             TLSClientConfig: &tls.Config{CipherSuites: []uint16{
                 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                 tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                 tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
                 tls.TLS_RSA_WITH_AES_256_CBC_SHA,
             },},
         }
         client := &http.Client{Transport: tr}
         _, err := client.Get("https://golang.org/")
         if err != nil {
             fmt.Println(err)
         }
     }
    
  3. Test it

  4. Ship it 🚢 and relax 🌴

More information: