PCI v3.2-6.5.4
CAPEC-217
CWE-311
HIPAA-164.306
ISO27001-A.14.1.3
WASC-4
OWASP 2013-A6
OWASP 2017-A3
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

SSL/TLS Not Implemented

Severity:
Medium
Summary

Invicti detected that SSL/TLS is not implemented after trying to establish a secure connection to the target website.

Impact

An attacker who is able to intercept your - or your users' - network traffic can read and modify any messages that are exchanged with your server.

That means that an attacker can see passwords in clear text, modify the appearance of your website, redirect the user to other web pages or steal session information.

Therefore no message you send to the server remains confidential.

Remediation

We suggest that you implement SSL/TLS properly, for example by using the Certbot tool provided by the Let's Encrypt certificate authority. It can automatically configure most modern web servers, e.g. Apache and Nginx to use SSL/TLS. Both the tool and the certificates are free and are usually installed within minutes.

Required Skills for Successful Exploitation
Actions To Take
Classifications
PCI v3.2-6.5.4
CAPEC-217
CWE-311
HIPAA-164.306
ISO27001-A.14.1.3
WASC-4
OWASP 2013-A6
OWASP 2017-A3
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C
Vulnerability Index

You can search and find all vulnerabilities

Select Category
Critical
High
Medium
Low
Best Practice
Information
Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Related Vulnerabilities

Featured resources

No items found.
No items found.
View all resources

Build your resistance to threats. And save hundreds of hours each month.

Get a Demo