38 lines
1.7 KiB
Plaintext
38 lines
1.7 KiB
Plaintext
Clear-text protocols such as ``++ftp++``, ``++telnet++``, or ``++http++`` lack
|
|
encryption of transported data, as well as the capability to build an
|
|
authenticated connection. It means that an attacker able to sniff traffic from
|
|
the network can read, modify, or corrupt the transported content. These
|
|
protocols are not secure as they expose applications to an extensive range of
|
|
risks:
|
|
|
|
* sensitive data exposure
|
|
* traffic redirected to a malicious endpoint
|
|
* malware-infected software update or installer
|
|
* execution of client-side code
|
|
* corruption of critical information
|
|
|
|
Even in the context of isolated networks like offline environments or segmented
|
|
cloud environments, the insider threat exists. Thus, attacks involving
|
|
communications being sniffed or tampered with can still happen.
|
|
|
|
For example, attackers could successfully compromise prior security layers by:
|
|
|
|
* bypassing isolation mechanisms
|
|
* compromising a component of the network
|
|
* getting the credentials of an internal IAM account (either from a service
|
|
account or an actual person)
|
|
|
|
In such cases, encrypting communications would decrease the chances of attackers
|
|
to successfully leak data or steal credentials from other network components.
|
|
By layering various security practices (segmentation and encryption, for
|
|
example), the application will follow the _defense-in-depth_ principle.
|
|
|
|
Note that using the ``++http++`` protocol is being deprecated by
|
|
https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http[major web browsers].
|
|
|
|
In the past, it has led to the following vulnerabilities:
|
|
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2019-6169[CVE-2019-6169]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2019-12327[CVE-2019-12327]
|
|
* https://nvd.nist.gov/vuln/detail/CVE-2019-11065[CVE-2019-11065]
|