CWE-1428: Reliance on HTTP instead of HTTPS
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product provides or relies on use of HTTP communications when HTTPS is available.
常见后果
影响范围: Confidentiality Integrity
技术影响: Read Application Data Modify Application Data
说明: HTTP can be subjected to attacks against confidentiality (by reading cleartext packets); integrity (by modifying sessions); and authenticity (by compromising servers and/or clients using cache poisoning, phishing, or other attacks that enable attackers to spoof a legitimate entity in the communication channel).
潜在缓解措施
阶段: Architecture and Design
描述: Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464].
阶段: Implementation
描述: Avoid using "mixed content," i.e., serving a web page over HTTPS in which the page includes elements that use "http:" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications.
阶段: Implementation Operation
描述: Perform "HTTPS forcing," that is, redirecting HTTP requests to HTTPS.
阶段: Operation
描述: If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP).
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | The product might be designed in a way that assumes that HTTP will be used, e.g., by excluding considerations of encrypted communications between client and server. |
| Requirements | Product requirements might not include encrypted communications, which could make it easier for designers and developers to choose HTTP. |
| Implementation | Developers might choose to use unencrypted protocols such as HTTP because they would not require development of additional mechanisms to support encryption, e.g., key or certificate management. |
| Implementation | When generating content that references web sites such as email messages, ensure that the https:// prefix is included. If a domain name is presented without such a prefix, then clients might automatically treat the link as if it had an "http" prefix. For example, referencing a domain like "mysite.example.com" could cause it to be treated like "http://mysite.example.com", thereby sending unencrypted HTTP requests. |
| Operation | Designers might assume that the responsibility for encrypted communications might belong to operators and/or network administrators. |