-
Notifications
You must be signed in to change notification settings - Fork 41
Use of MD5, use of HTTP, and empty passwords #7768
Comments
Along with use of MD5, I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html). I suggest that to follow the strong password guidelines, and manage passwords with hiera. Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/govuk_crawler/manifests/init.pp |
I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support? I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP? Any feedback is appreciated. Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/nodejs/manifests/repo.pp |
Thank you for raising these and apologies for the lack of activity on the issue. We have a separate, private, system that replaces the empty passwords with securely generated values that are loaded via Hiera. Due to the nature of the public/private split it can appear we have empty passwords in places where we actually don't. In regards to the postgres issue we've moved to RDS now and changed the way this authentication works. Thank you again for flagging these |
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I noticed instances of MD5 uses in one of the Puppet scripts. MD5 is vulnerable to attacks, and should be avoided. The Common Weakness Enumeration organization recommends against usage of weak cryptographic algorithms such as MD5. Reff: https://cwe.mitre.org/data/definitions/327.html.
I suggest the use of SHA512 , which is more secure. Any feedback is appreciated.
Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/govuk/manifests/node/s_transition_postgresql_standby.pp
The text was updated successfully, but these errors were encountered: