Open claco opened 10 years ago
I can't say that I'm aware of when credentials are passed in clear text here, but the same comment as https://github.com/rcbops/chef-cookbooks/issues/892 applies here.
I assume it's when the api service talks to the register service directly.
This is from the internal security review recommendations.
Severity: High
Description / Exploit: The RPC Image Service Registry transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.
Impact: Anyone can read the information by gaining access to the channel being used for communication.
Systems Vulnerable: http://198.101.133.159:9191
Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).
Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.
Affects: