Data transmitted by the service is susceptible to collection by any entity
with access to any part of the transmission path. Packet observations can
be used to support the planning of attacks by profiling origin points,
destinations, and usage patterns. The data may also be vulnerable to
interception or modification in transit if not properly encrypted,
impacting the confidentiality or integrity of the transmitted data.
When a port is exposed for non-SSH network traffic, all traffic
MUST include a TLS handshake AND be encrypted using TLS 1.3 or
higher.
tlp-green
tlp-amber
tlp-red
CCC.Core.C01.TR02
When a port is exposed for SSH network traffic, all traffic MUST
include a SSH handshake AND be encrypted using SSHv2 or higher.
tlp-clear
tlp-green
tlp-amber
tlp-red
CCC.Core.C01.TR03
When the service receives unencrypted traffic,
then it MUST either block the request or automatically
redirect it to the secure equivalent.
tlp-green
tlp-amber
tlp-red
CCC.Core.C01.TR07
When a port is exposed, the service MUST ensure that the protocol
and service officially assigned to that port number by the IANA
Service Name and Transport Protocol Port Number Registry, and no
other, is run on that port.
tlp-clear
tlp-green
tlp-amber
tlp-red
CCC.Core.C01.TR08
When a service transmits data using TLS, mutual TLS (mTLS) MUST be
implemented to require both client and server certificate
authentication for all connections.