Use of HTTP without TLS

[akondasif]

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/zend-patterns/ZendServerPuppet/blob/master/manifests/params.pp (Line#19)

[ubellavance]

It's using http on localhost, what's the risk?

[akondasif]

@ubellavance , thanks for the quick reply.

According to a Google engineer, localhost has security issues: https://www.scmagazineuk.com/secure-localhost-domain-hint-may-not-says/article/1474262

Would you agree?

[ubellavance]

No, I don't agree there is a risk here, for these reasons:

• If you want to sniff the network traffic going to localhost, you have to be on the host itself, which is already a bigger problem
• All Linux and Windows systems that I've seen in my life have localhost mapped to 127.0.0.1 by default, which is the address of the default loopback address, so the call will go to this address - no security risk
• If there was a problem with 'localhost' pointing somewhere else, the destination server would only get a request, with a secret. It's a security issue, but it would be present with https as well.
• From what I can see, this parameter is not used unless a target is not used (i.e. only on first run)
• The problem doesn't come from this puppet module, if comes from Zend Server, as the binary that they provide, zs-manage, defaults to using plain text http. I'm not sure if their API is available using https.