rspec/rules/S5332/description.adoc

Clear-text protocols such as ``++ftp++``, ``++telnet++`` or  non-secure ``++http++`` lack encryption of transported data, as well as the capability to build an authenticated connection. 
It means that an attacker able to sniff traffic from the network can read, modify or corrupt the transported content. These protocols are not secure as they expose applications to an extensive range of risks:

* Sensitive data exposure
* Traffic redirected  to a malicious endpoint
* Malware infected software update or installer
* Execution of client side code
* Corruption of critical information

Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks involving communications being sniffed or tampered with can still happen.

For example, attackers could successfully compromise prior security layers by:

* Bypassing isolation mechanisms
* Compromising a component of the network
* Getting the credentials of an internal IAM account (either from a service account or an actual person)

In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network components.
By layering various security practices (segmentation and encryption, for example), the application will follow the _defense-in-depth_ principle.

Note that using the ``++http++`` protocol is being deprecated by https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http[major web browsers].

In the past, it has led to the following vulnerabilities:

* https://nvd.nist.gov/vuln/detail/CVE-2019-6169[CVE-2019-6169]
* https://nvd.nist.gov/vuln/detail/CVE-2019-12327[CVE-2019-12327]
* https://nvd.nist.gov/vuln/detail/CVE-2019-11065[CVE-2019-11065]
Modify rule S5332: Improve description (#474) 2021-10-14 16:12:59 +02:00			Clear-text protocols such as ``++ftp++``, ``++telnet++`` or non-secure ``++http++`` lack encryption of transported data, as well as the capability to build an authenticated connection.
			`It means that an attacker able to sniff traffic from the network can read, modify or corrupt the transported content. These protocols are not secure as they expose applications to an extensive range of risks:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* Sensitive data exposure`
			`* Traffic redirected to a malicious endpoint`
			`* Malware infected software update or installer`
			`* Execution of client side code`
			`* Corruption of critical information`

Modify rule S5332: Improve description (#474) 2021-10-14 16:12:59 +02:00			`Even in the context of isolated networks like offline environments or segmented cloud environments, the insider threat exists. Thus, attacks involving communications being sniffed or tampered with can still happen.`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
Modify rule S5332: Improve description (#474) 2021-10-14 16:12:59 +02:00			`For example, attackers could successfully compromise prior security layers by:`
[java] fix formatting in rules descriptions (#504) 2021-10-18 16:27:36 +02:00
Modify rule S5332: Improve description (#474) 2021-10-14 16:12:59 +02:00			`* Bypassing isolation mechanisms`
			`* Compromising a component of the network`
			`* Getting the credentials of an internal IAM account (either from a service account or an actual person)`

			`In such cases, encrypting communications would decrease the chances of attackers to successfully leak data or steal credentials from other network components.`
			`By layering various security practices (segmentation and encryption, for example), the application will follow the _defense-in-depth_ principle.`

			Note that using the ``++http++`` protocol is being deprecated by https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http[major web browsers].
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`In the past, it has led to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* https://nvd.nist.gov/vuln/detail/CVE-2019-6169[CVE-2019-6169]`
			`* https://nvd.nist.gov/vuln/detail/CVE-2019-12327[CVE-2019-12327]`
			`* https://nvd.nist.gov/vuln/detail/CVE-2019-11065[CVE-2019-11065]`