Use of insecure channel

Use of insecure channel - Source code

Need

To protect sensitive information during transmission over a network.

Context

• Usage of Elixir (1.12.0 and above) for building scalable and concurrent applications

• Usage of Cowboy HTTP server for handling HTTP requests

Description

1. Non compliant code

defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/socket", MyAppWeb.UserSocket,
    websocket: true,
    longpoll: false

    at: "/",...

The code above configures an HTTP server with no encryption. Any data sent between the server and clients is vulnerable to interception. This can be exploited by an attacker to capture sensitive information and credentials in plain text, or intercept communication and steal or forge requests and responses.

2. Steps

• Acquire a valid TLS certificate for your domain.

• Configure your server to use HTTPS with the TLS certificate.

• Redirect all HTTP requests to HTTPS.

3. Secure code example

defmodule MyAppWeb.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  socket "/socket", MyAppWeb.UserSocket,
    websocket: true,
    longpoll: false

    at: "/",...

The updated code now includes the 'Plug.ForceSSL' plug, which redirects all non-HTTPS requests to HTTPS, ensuring that all data is transmitted over an encrypted channel. This mitigates the risk of data interception and forgery.

References

• 332. Use of insecure channel - Source code

On this page