{"@ID": "1428", "@Name": "Reliance on HTTP instead of HTTPS", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Incomplete", "Description": "The product provides or relies on use of HTTP communications when HTTPS is available.", "Extended_Description": {"xhtml:p": "Because HTTP communications are not encrypted, HTTP is subject to various attacks against confidentiality, integrity, and authenticity. However, unlike many other protocols, HTTPS is widely available as a more secure alternative, because it uses encryption."}, "Related_Weaknesses": {"Related_Weakness": {"@Nature": "ChildOf", "@CWE_ID": "319", "@View_ID": "1000", "@Ordinal": "Primary"}}, "Weakness_Ordinalities": {"Weakness_Ordinality": [{"Ordinality": "Primary"}, {"Ordinality": "Resultant"}]}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}, "Operating_System": {"@Class": "Not OS-Specific", "@Prevalence": "Undetermined"}, "Architecture": {"@Class": "Not Architecture-Specific", "@Prevalence": "Undetermined"}, "Technology": {"@Class": "Not Technology-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": [{"Phase": "Architecture and Design", "Note": "The product might be designed in a way that assumes that HTTP will be used, e.g., by excluding considerations of encrypted communications between client and server."}, {"Phase": "Requirements", "Note": "Product requirements might not include encrypted communications, which could make it easier for designers and developers to choose HTTP."}, {"Phase": "Implementation", "Note": "Developers might choose to use unencrypted protocols such as HTTP because they would not require development of additional mechanisms to support encryption, e.g., key or certificate management."}, {"Phase": "Implementation", "Note": "When generating content that references web sites such as email messages, ensure that the https:// prefix is included. If a domain name is presented without such a prefix, then clients might automatically treat the link as if it had an \"http\" prefix. For example, referencing a domain like \"mysite.example.com\" could cause it to be treated like \"http://mysite.example.com\", thereby sending unencrypted HTTP requests."}, {"Phase": "Operation", "Note": "Designers might assume that the responsibility for encrypted communications might belong to operators and/or network administrators."}]}, "Common_Consequences": {"Consequence": {"Scope": ["Confidentiality", "Integrity"], "Impact": ["Read Application Data", "Modify Application Data"], "Likelihood": "High", "Note": "HTTP can be subjected to attacks against confidentiality (by reading cleartext packets); integrity (by modifying sessions); and authenticity (by compromising servers and/or clients using cache poisoning, phishing, or other attacks that enable attackers to spoof a legitimate entity in the communication channel)."}}, "Potential_Mitigations": {"Mitigation": [{"Phase": "Architecture and Design", "Description": "Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464]."}, {"Phase": "Implementation", "Description": "Avoid using \"mixed content,\" i.e., serving a web page over HTTPS in which the page includes elements that use \"http:\" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications."}, {"Phase": ["Implementation", "Operation"], "Description": "Perform \"HTTPS forcing,\" that is, redirecting HTTP requests to HTTPS."}, {"Phase": "Operation", "Description": "If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP)."}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1461"}, {"@External_Reference_ID": "REF-1462"}, {"@External_Reference_ID": "REF-1463"}, {"@External_Reference_ID": "REF-1464"}, {"@External_Reference_ID": "REF-1465", "@Section": "V1.9 Communications Architecture"}, {"@External_Reference_ID": "REF-1465", "@Section": "V9.1 Client Communication Security"}, {"@External_Reference_ID": "REF-1465", "@Section": "V9.2 Server Communication Security"}, {"@External_Reference_ID": "REF-1466"}, {"@External_Reference_ID": "REF-1467"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Content_History": {"Submission": {"Submission_Name": "CWE Content Team", "Submission_Organization": "MITRE", "Submission_Date": "2025-03-28", "Submission_Version": "4.17", "Submission_ReleaseDate": "2025-04-03"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Weakness_Ordinalities"}], "Contribution": {"@Type": "Content", "Contribution_Name": "Michal Biesiada", "Contribution_Date": "2023-02-08", "Contribution_Version": "4.17", "Contribution_ReleaseDate": "2025-04-03", "Contribution_Comment": "suggested that CWE include \"lack of HTTPS forcing\" and \"using HTTP instead of HTTPS with email and other content,\" and contributed references"}}}
