Use of MD5, use of HTTP, and empty passwords about govuk-puppet HOT 3 CLOSED

Along with use of MD5, I also noticed instances of empty passwords. Empty passwords increase the guessability of passwords. The Common Weakness Organization (CWE) identifies use of empty passwords as a security weakness (https://cwe.mitre.org/data/definitions/258.html).

I suggest that to follow the strong password guidelines, and manage passwords with hiera.

Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/govuk_crawler/manifests/init.pp

from govuk-puppet.

I also found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source: https://github.com/alphagov/govuk-puppet/blob/master/modules/nodejs/manifests/repo.pp

from govuk-puppet.

Thank you for raising these and apologies for the lack of activity on the issue.

We have a separate, private, system that replaces the empty passwords with securely generated values that are loaded via Hiera. Due to the nature of the public/private split it can appear we have empty passwords in places where we actually don't. In regards to the postgres issue we've moved to RDS now and changed the way this authentication works.

Thank you again for flagging these

from govuk-puppet.