Use of Insecure Channel - FTP in Applications - Elixir

Use of Insecure Channel - FTP in Applications - Elixir

Need

Secure transmission of customer information

Context

  • Usage of Elixir (v1.10+) for building scalable and fault-tolerant applications
  • Usage of Plug for request handling
  • Usage of Phoenix framework for building scalable web applications
  • Usage of ftp module for FTP communication

Description

Non compliant code

        {:ok, pid} = :ftp.open('ftp.example.com', [user: 'username', password: 'password'])
:ftp.send_cmd(pid, 'RETR somefile.txt')

This code is vulnerable because it uses the FTP protocol to transmit customer information which does not use encryption. This means that the data can be easily intercepted and read in plain text during transit, which could potentially lead to unauthorized access or data leakage.

Steps

  • Replace FTP (File Transfer Protocol) with SFTP (SSH File Transfer Protocol) for secure file transfer.
  • Use the :ssh_sftp module in Elixir for SFTP communication.
  • Make sure to include the necessary SSL certificate configurations for secure SFTP communication.

Compliant code

        {:ok, conn} = :ssh.connect('sftp.example.com', 22, [user: 'username', password: 'password'])
{:ok, channel} = :ssh_sftp.start_channel(conn)
:ssh_sftp.download(channel, '/remote/path/to/somefile.txt', '/local/path/to/somefile.txt')

This secure code example uses the SFTP protocol for file transfer which uses encryption to secure the data in transit. This ensures that even if the data is intercepted, it cannot be read in plain text.

References