This socket is insecure
12
13 public static void main(String[] args) throws Exception {
14 System.out.println("Server signing On");
15 ServerSocket ss = new ServerSocket(9085);16 MessageDispatcher md = new MessageDispatcher();
17 md.setDaemon(true);
18 md.start();
This socket is insecure
8 public static void main(String[] args) throws Exception {
9 System.out.println("Client Signing on");
10 try {
11 Socket soc = new Socket("127.0.0.1", 9085);12 BufferedReader nis = new BufferedReader(new InputStreamReader(soc.getInputStream()));
13 ObjectOutputStream oos = new ObjectOutputStream(soc.getOutputStream());
14 LoginWindow user = new LoginWindow(nis, oos);
Description
Socket
and ServerSocket
do not implement TLS/SSL by default. Use SSLSocket
/SSLServerSocket
instead.
The socket factory types javax.net.SocketFactory
and javax.net.ServerSocketFactory
cannot be used to create secure client and server sockets. For that purpose, their subclasses, SSLSocketFactory
and SSLServerSocketFactory
must be used.
Bad Practice
Socket s = SocketFactory.getDefault().createSocket();
ServerSocket s2 = new ServerSocket(3434);
Recommended
Socket s = SSLSocketFactory.getDefault().createSocket();
ServerSocket s2 = SSLServerSocketFactory.getDefault().createSocket();
Beyond using an SSL socket, you need to make sure your use of SSLSocketFactory
(or for server sockets, SSLServerSocketFactory
) does all the appropriate certificate validation checks to make sure you are not subject to man-in-the-middle attacks. Please read the OWASP Transport Layer Protection Cheat Sheet for details on how to do this correctly.
References
- FindSecBugs - UNENCRYPTED_SOCKET
- WASC-04 - Insufficient transport layer security
- CWE-200 - Exposure of Sensitive Information to Unauthorized Actors
- CWE-319 - Cleartext Transmission of Sensitive Information
- OWASP Top Ten (2021) - Category A05 - Security Misconfiguration
- OWASP Top Ten (2021) - Category A02 - Cryptographic Failures
- OWASP Transport Level Security Cheatsheet