There is no SSL/TLS encryption enabled on your server. All traffic to your web application is transported via unencrypted channels. This leaves your users vulnerable to man-in-the-middle attacks.
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lack of TLS encryption is of course a major vulnerability that leaves traffic exposed and easily accessible by malevolent parties.
But even with TLS encryption, there are a number of possible directions from which your application can be attacked and compromised. Some of the attacks that can be launched against systems using TLS encryption include:
- Renegotiation attacks
- Downgrade attacks
- Cross-protocol attacks
- Timing attacks on padding
- BEAST, CRIME, BREACH, and POODLE attacks, and more
To get a full picture of the various vulnerabilities and how to prevent them, see our SSL/TLS Vulnerability guide!
If you want to provide a secure way for your users to communicate with your web application. You should enable TLS encryption. Especially if any customer data is stored and login with user credentials is offered, this shall, in any case, be offered. To provide a secure way for your users to communicate with your web application you must enable TLS encryption. You can enable TLS encryption by Configuring Trusted Certificates.
For more information about Crashtest Security visit crashtest-security.com