Server Insecure Transport

ID

go.server_insecure_transport

Severity

high

Resource

Information Leak

Language

Go

Tags

CWE:319, NIST.SP.800-53, OWASP:2021:A4, PCI-DSS:6.5.4

Description

A web server is started without SSL/TLS support, which means that the server is not authenticated with the client, traffic is not encrypted, and data can be changed on transit.

Rationale

SSL/TLS (Secure Sockets Layer/Transport Layer Security) is crucial for securing online communications by encrypting data between a client’s browser and a server. This encryption ensures that sensitive information, such as passwords and credit card numbers, cannot be intercepted or read by unauthorized parties during transmission.

SSL/TLS also verifies the identity of websites, building trust with users and enhancing the credibility of online services. Furthermore, search engines like Google favor HTTPS-enabled sites in their rankings.

Without properly configuring SSL/TLS, a server is vulnerable to several risks:

  • Data Interception: Sensitive data can be easily intercepted and read by hackers, leading to identity theft and financial fraud.

  • Man-in-the-Middle Attacks: Threat actors can modify data during transmission, potentially injecting malware or altering transaction details.

  • SEO Penalties: Search engines may penalize non-HTTPS sites by ranking them lower, reducing visibility and traffic.

  • User Trust Issues: Users may be warned by browsers that the site is not secure, leading to a loss of trust and potential abandonment of the site.

package main

import (
    "fmt"
    "net/http"
)

func main() {
    http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
        username := r.FormValue("username")
        password := r.FormValue("password")
        fmt.Fprintf(w, "Received username: %s and password: %s", username, password)
    })

    // Insecure: using HTTP instead of HTTPS
    http.ListenAndServe(":8080", nil)
}

Using unencrypted channels can expose sensitive data during transmission. Attackers can capture credentials, session tokens, or personal data using network sniffing.

Remediation

To fix the security issue, you can configure the server to use HTTPS by obtaining an SSL/TLS certificate and key. The certificate should be signed by a well-known and trusted certificate authority (CA).

Care must be taken to ensure that the private key is protected from unauthorized access and properly accessed when starting the server. The private key is usually encrypted and the password or key used to decrypt it should be protected from unauthorized access.

package main

import (
    "fmt"
    "log"
    "net/http"
)

func main() {
    http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
        username := r.FormValue("username")
        password := r.FormValue("password")
        fmt.Fprintf(w, "Received username: %s and password: %s", username, password)
    })

    // Secure: HTTPS server
    log.Fatal(http.ListenAndServeTLS(":8443", "server.crt", "server.key", nil))
}

References