Unencrypted Server Socket
Description
The use of an unencrypted server socket may expose sensitive information to man-in-the-middle attacks. To prevent this, ensure that your use of SSLSocketFactory includes all the necessary certificate validation checks.
Examples
Insecure Code
scala
new java.net.Socket();Secure Code
scala
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket();Remediation
Use SSLSocketFactory with proper certificate validation to encrypt the server socket.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0033 |
| Category | Crypto |
| Severity | HIGH |
| CWE | CWE-319 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | man-in-the-middle, certificate validation |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |