BaseIncomplete

CWE-1428Reliance on HTTP instead of HTTPS

Category: other

Description

The product provides or relies on use of HTTP communications when HTTPS is available.

Common consequences· 1

  • Confidentiality / Integrity — Read Application Data, Modify Application Data
    HTTP can be subjected to attacks against confidentiality (by reading cleartext packets); integrity (by modifying sessions); and authenticity (by compromising servers and/or clients using cache poisoning, phishing, or other attacks that enable attackers to spoof a legitimate entity in the communication channel).

Potential mitigations· 4

  • [Architecture and Design]Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464].
  • [Implementation]Avoid using "mixed content," i.e., serving a web page over HTTPS in which the page includes elements that use "http:" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications.
  • [Implementation, Operation]Perform "HTTPS forcing," that is, redirecting HTTP requests to HTTPS.
  • [Operation]If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP).

References

  1. https://cwe.mitre.org/data/definitions/1428.html

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Weak Authentication
CWE
Use of Single-factor Authentication
CWE
Insufficiently Protected Credentials
CWE
Missing Encryption of Sensitive Data
CWE
Unprotected Primary Channel
CWE
Improper Validation of Certificate with Host Mismatch
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.