Use of HTTP

[akondasif]

Greetings,

I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/pcfens/puppet-filebeat/blob/master/manifests/repo.pp (Line 57)

[pcfens]

Puppet itself supports HTTPS, but the underlying tools that puppet calls don't always support it (e.g. apt without the apt-transport-https plugin).

The code you referenced is about 2 and a half years old, so I have no idea why it originally didn't use https (maybe Suse at the time didn't). I've gone ahead and changed it - hopefully someone that uses Suse will be able to test before releasing another copy the the forge.

[akondasif]

Thanks for the feedback.
I assumed the same ... lack of tool support can be a reason why HTTP is used instead of HTTPS.
Really appreciate your effort on making the changes.