Stop Sending Sensitive Data with Cleartext Protocols

Cleartext protocols, like Hyper Text Transfer Protocol (HTTP), Telnet, and File Transfer Protocol (FTP) do not use any sort of encryption to protect the data being sent over them. For the most part, this is ok, as not every web page or file that is shared needs to be protected in that manner. If you are looking at a page on Wikipedia, then it is understandable that there is no encryption on that page, as the information is readily available for everyone to look at. But logging into the admin console of your website is definitely not something you want to share with everyone else.

Cleartext protocols allow threat actors to sniff network traffic and see everything in plain writing. If that network packet happens to be you logging into your web admin portal, then that means your username and password are more visible to the threat actor then they were to you when you typed them in. Uploading and sharing a file using FTP? That’s great if it’s your next blog post that’s going to be shared out to millions of people anyway. Not so good if it’s your earnings report or other confidential business data.

Here are some guidelines you can follow to ensure the information you want to keep secret stays that way:

Telnet: Telnet is an outdated protocol that allows remote administration of a computer system. It has largely been replaced by Secure Socket Shell (SSH), which is an encrypted protocol that protects all the data sent over it. Telnet can be found on a lot of networking devices and should simply be disabled wherever you see it. SSH is just a better option as it encrypts data, supports authentication, and allows graphical programs to be run remotely, all things Telnet is not capable of doing.

FTP: For file transfers, if the file is not sensitive in any manner, and the server hosting the files does not need to authenticate users before granting access, then it is acceptable. Once you include authentication to the server, though, or if you are storing files that contain sensitive data, this option is no longer ideal. When a user logs into an FTP server their username and password are sent in cleartext which can be seen by anyone sniffing network traffic to that server. The better option would be to use Secure File Transfer Protocol (SFTP) or File Transfer Protocol over SSL (FTPS). SFTP uses SSH to encrypt the data sent between the client and server and FTPS uses SSL/TLS for the same function.

HTTP: Any web pages that require a logon, and any subsequent pages that need user authentication to reach, should be served using HTTPS. HTTPS encrypts all HTTP data using SSL/TLS encryption. This protects sensitive data contained on web pages, and more importantly, the usernames and passwords of the users logging into these web pages.