Using clear-text protocols exposes data in transit to eavesdropping and man-in-the-middle attacks.

Why is this an issue?

An attacker who can observe network traffic — for example through a compromised network device, a position on the same network segment, or a cloud environment breach — can read, modify, or inject data sent over ftp, telnet, http, or unencrypted SMTP without detection. This is true even on internal or isolated networks, where insider threats or lateral movement after an initial compromise can expose unencrypted traffic. This rule raises an issue when a clear-text protocol scheme is used or when encryption is explicitly disabled for a network connection.

What is the potential impact?

Sensitive data exposure

An attacker who can intercept network traffic can read all data transmitted over clear-text connections, including credentials, session tokens, API keys, or personal data.

Data tampering

Because clear-text protocols provide no integrity protection, an attacker in a man-in-the-middle position can silently modify data in transit — redirecting users to malicious endpoints, injecting malicious content into responses, or altering commands sent to remote services.

How to fix it

Code examples

The following code uses a clear-text protocol or disables encryption for a network connection, leaving transmitted data exposed to interception.

Noncompliant code example

- name: HTTP request
  hosts: all
  tasks:
  - name: Example
    uri:
        url: http://example.com # Noncompliant

Compliant solution

- name: HTTPS request
  hosts: all
  tasks:
  - name: Example
    uri:
        url: https://example.com

Resources

Documentation

• AWS Documentation - Listeners for your Application Load Balancers
• AWS Documentation - Stream Encryption

Articles & blog posts

• Google - Moving towards more secure web
• Mozilla - Deprecating non secure http

Standards

• CWE - CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
• CWE - CWE-319 - Cleartext Transmission of Sensitive Information
• STIG Viewer - Application Security and Development: V-222397 - The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
• STIG Viewer - Application Security and Development: V-222534 - Service-Oriented Applications handling non-releasable data must authenticate endpoint devices via mutual SSL/TLS.
• STIG Viewer - Application Security and Development: V-222562 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the integrity of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222563 - Applications used for non-local maintenance must implement cryptographic mechanisms to protect the confidentiality of maintenance and diagnostic communications.
• STIG Viewer - Application Security and Development: V-222577 - The application must not expose session IDs.
• STIG Viewer - Application Security and Development: V-222596 - The application must protect the confidentiality and integrity of transmitted information.
• STIG Viewer - Application Security and Development: V-222597 - The application must implement cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission.
• STIG Viewer - Application Security and Development: V-222598 - The application must maintain the confidentiality and integrity of information during preparation for transmission.
• STIG Viewer - Application Security and Development: V-222599 - The application must maintain the confidentiality and integrity of information during reception.