The failure to encrypt data passes up the guarantees of
confidentiality, integrity, and accountability that properly implemented
encryption conveys.
Time of Introduction
Architecture and Design
Applicable Platforms
Languages
All
Common Consequences
Scope
Effect
Confidentiality
Properly encrypted data channels ensure data confidentiality.
Integrity
Properly encrypted data channels ensure data integrity.
Accountability
Properly encrypted data channels ensure accountability.
Confidentiality
If the application does not use a secure channel, such as SSL, to
exchange sensitive information, it is possible for an attacker with
access to the network traffic to sniff packets from the connection and
uncover the data. This attack is not technically difficult, but does
require physical access to some portion of the network over which the
sensitive data travels. This access is usually somewhere near where the
user is connected to the network (such as a colleague on the company
network) but can be anywhere along the path from the user to the end
server.
Confidentiality
Integrity
Omitting the use of encryption in any program which transfers data
over a network of any kind should be considered on par with delivering
the data sent to each user on the local networks of both the sender and
receiver. Worse, this omission allows for the injection of data into a
stream of communication between two parties -- with no means for the
victims to separate valid data from invalid. In this day of widespread
network attacks and password collection sniffers, it is an unnecessary
risk to omit encryption from the design of any system which might
benefit from it.
Likelihood of Exploit
Very High
Demonstrative Examples
Example 1
(Bad Code)
C
server.sin_family = AF_INET; hp = gethostbyname(argv[1]);
Description
