Use of Insecure Channel - FTP in Applications

Need

Secure transmission of customer information

Context

Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
Usage of Plug for request handling
Usage of Phoenix framework for building scalable web applications
Usage of ftp module for FTP communication

Description

Non compliant code

{:ok, pid} = :ftp.open('ftp.example.com', [user: 'username', password: 'password'])
:ftp.send_cmd(pid, 'RETR somefile.txt')

This code is vulnerable because it uses the FTP protocol to transmit customer information which does not use encryption. This means that the data can be easily intercepted and read in plain text during transit, which could potentially lead to unauthorized access or data leakage.

Steps

Replace FTP (File Transfer Protocol) with SFTP (SSH File Transfer Protocol) for secure file transfer.
Use the :ssh_sftp module in Elixir for SFTP communication.
Make sure to include the necessary SSL certificate configurations for secure SFTP communication.

Compliant code

{:ok, conn} = :ssh.connect('sftp.example.com', 22, [user: 'username', password: 'password'])
{:ok, channel} = :ssh_sftp.start_channel(conn)
:ssh_sftp.download(channel, '/remote/path/to/somefile.txt', '/local/path/to/somefile.txt')

This secure code example uses the SFTP protocol for file transfer which uses encryption to secure the data in transit. This ensures that even if the data is intercepted, it cannot be read in plain text.

References

148.Use of an insecure channel - FTP

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​