Is non-SSL communication from RiskFort to UBP a security risk

book

Article ID: 101621

calendar_today

Updated On:

Products

CA Rapid App Security CA Advanced Authentication CA API Gateway

Issue/Introduction

Riskfort communicates with CA Strong Authentication's UBP application to generate model risk scores. This communication is currently using HTTP protocol and HTTPS is not supported. Customer have raised queries about any exposure give that SSL communication is not supported. 

Is non-ssl communication from Riskfort to UBP application a security exposure ? 

Environment

Riskfort Servers and Servers running UBP application

Resolution


There is no exposure as the request contains information like Orgname, Device information etc. that cannot be exploited. 

Below is a sample request from risk server to UBP: 

Wed May 23 18:59:00.558 2018 LOW: pid 3016 tid 236: 8: 1:10004: GDPRule::sendAndReceiveHTTPData : Writing [<?xml version="1.0" encoding="UTF-8"?><EvalCallout xmlns="http://www.arcot.com/EvalCalloutRequest" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.arcot.com/EvalCalloutRequest ArcotRiskInput_V2.xsd "><DocVersion>1.0</DocVersion><TransactionID>1:10004</TransactionID><UserContext><UserId>VVRR1</UserId><Group>DEFAULTORG</Group><Action>Login</Action></UserContext><DeviceContext><HTTPDeviceId>9IcUtBjejj87fIOQuv63ZeQJ61oQAj8I4ybZ5MznwDewfaiw9l+3tm0y0VAyd91i</HTTPDeviceId><FLASHDeviceId></FLASHDeviceId><AggregatorId></AggregatorId><DeviceSignature><![CDATA[{"DEVICESIG":{"collector": "Browser", "collectorVersion":"2","EXTERNALIP":{ "externalip":"10.134.112.127"},"EXTRA":{ "NetscapePlugins":{}},"HTTP_HEADER":{ "user-agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko\/20100101 Firefox\/60.0"},"MESC":{ "MESC":"94431"},"OPTIONAL":{ "flash_ver":"29.0.0.171"},"OS_BROWSER":{ "build_id":"20180516032328","cookie_enabled":"1","vendor":"","vendor_sub_id":"","os":"Windows","os_ver":"13.0.0","browser_ver":"60.0","browser":"Firefox"},"SCREEN":{ "availHeight":"1160","availWidth":"1920","colorDepth":"24","height":"1200","width":"1920","pixelDepth":"24"},"SYSTEM":{ "oscpu":"Windows NT 6.1; Win64; x64","platform":"Win64"},"USER_PREF":{ "timezone":"-330","sys_lang":"en-US"}}}]]></DeviceSignature><BrowserType>Firefox</BrowserType><OSType>Windows</OSType><DeviceType>PC</DeviceType></DeviceContext><Channel></Channel><LocationContext><ClientIP>10.134.112.127</ClientIP><Latitude></Latitude><Longitude></Longitude><Continent></Continent><Country></Country><CountryISO2></CountryISO2><Region></Region><State></State><City></City><ConnectionType></ConnectionType><LineSpeed></LineSpeed><RoutingType></RoutingType><AnonymizerStatus></AnonymizerStatus></LocationContext><ExtensibleElements></ExtensibleElements><RuleSetResult><RuleResult result="0" ruleName="UnknownDeviceId"/><RuleResult result="" ruleName="ExceptionUser"/><RuleResult result="" ruleName="NegativeIP"/><RuleResult result="" ruleName="NegativeCountry"/><RuleResult result="" ruleName="TrustedAggregatorIP"/><RuleResult result="0" ruleName="UnknownUser"/><RuleResult result="" ruleName="UserVelocity"/><RuleResult result="" ruleName="DeviceVelocity"/><RuleResult result="" ruleName="ZoneHopping"/></RuleSetResult></EvalCallout>] to GDP running at [http://localhost:8080/ca-userprofiling-2.0-application/UBPServlet


It mostly contains user information such as username, org, location information, device information etc.,