Description: If applications do not enforce Http Strict Transport Security then there is a chance that sensitive data could be transmitted in clear text and those having access to the network can sniff and steal data.
Impact of Clear Text Communication: If applications do not use SSL/TLS for secure transmission of sensitive data then the data could be stolen by someone having access to network through sniffing.
Some tools that can be used to sniff the network are
- Wireshark
- TCP dump
How to Fix:
- Ensure that the applications are configured to use Transport Layer Security protocol for transmitting data between client and server. TLS 1.2 version is considered to be safe to use. Make sure the version that you are using is not vulnerable.
- Additionally, enforce Http Strict Transport Security header that ensures all data transmission happen through Transport Layer Security.
Hope this article provided useful information to you. Please share if you like it.
