Is non-SSL communication from RiskFort to UBP a security risk

Document ID : KB000101621
Last Modified Date : 04/09/2018
Show Technical Document Details
Introduction:
Riskfort communicates with CA Strong Authentication's UBP application to generate model risk scores. This communication is currently using HTTP protocol and HTTPS is not supported. Customer have raised queries about any exposure give that SSL communication is not supported. 
Question:
Is non-ssl communication from Riskfort to UBP application a security exposure ? 
Environment:
Riskfort Servers and Servers running UBP application
Answer:

There is no exposure as the request contains information like Orgname, Device information etc. that cannot be exploited. 

Below is a sample request from risk server to UBP: 

Wed May 23 18:59:00.558 2018 LOW: pid 3016 tid 236: 8: 1:10004: GDPRule::sendAndReceiveHTTPData : Writing [<?xml version="1.0" encoding="UTF-8"?><EvalCallout xmlns="http://www.arcot.com/EvalCalloutRequest" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.arcot.com/EvalCalloutRequest ArcotRiskInput_V2.xsd "><DocVersion>1.0</DocVersion><TransactionID>1:10004</TransactionID><UserContext><UserId>VVRR1</UserId><Group>DEFAULTORG</Group><Action>Login</Action></UserContext><DeviceContext><HTTPDeviceId>9IcUtBjejj87fIOQuv63ZeQJ61oQAj8I4ybZ5MznwDewfaiw9l+3tm0y0VAyd91i</HTTPDeviceId><FLASHDeviceId></FLASHDeviceId><AggregatorId></AggregatorId><DeviceSignature><![CDATA[{"DEVICESIG":{"collector": "Browser", "collectorVersion":"2","EXTERNALIP":{ "externalip":"10.134.112.127"},"EXTRA":{ "NetscapePlugins":{}},"HTTP_HEADER":{ "user-agent":"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko\/20100101 Firefox\/60.0"},"MESC":{ "MESC":"94431"},"OPTIONAL":{ "flash_ver":"29.0.0.171"},"OS_BROWSER":{ "build_id":"20180516032328","cookie_enabled":"1","vendor":"","vendor_sub_id":"","os":"Windows","os_ver":"13.0.0","browser_ver":"60.0","browser":"Firefox"},"SCREEN":{ "availHeight":"1160","availWidth":"1920","colorDepth":"24","height":"1200","width":"1920","pixelDepth":"24"},"SYSTEM":{ "oscpu":"Windows NT 6.1; Win64; x64","platform":"Win64"},"USER_PREF":{ "timezone":"-330","sys_lang":"en-US"}}}]]></DeviceSignature><BrowserType>Firefox</BrowserType><OSType>Windows</OSType><DeviceType>PC</DeviceType></DeviceContext><Channel></Channel><LocationContext><ClientIP>10.134.112.127</ClientIP><Latitude></Latitude><Longitude></Longitude><Continent></Continent><Country></Country><CountryISO2></CountryISO2><Region></Region><State></State><City></City><ConnectionType></ConnectionType><LineSpeed></LineSpeed><RoutingType></RoutingType><AnonymizerStatus></AnonymizerStatus></LocationContext><ExtensibleElements></ExtensibleElements><RuleSetResult><RuleResult result="0" ruleName="UnknownDeviceId"/><RuleResult result="" ruleName="ExceptionUser"/><RuleResult result="" ruleName="NegativeIP"/><RuleResult result="" ruleName="NegativeCountry"/><RuleResult result="" ruleName="TrustedAggregatorIP"/><RuleResult result="0" ruleName="UnknownUser"/><RuleResult result="" ruleName="UserVelocity"/><RuleResult result="" ruleName="DeviceVelocity"/><RuleResult result="" ruleName="ZoneHopping"/></RuleSetResult></EvalCallout>] to GDP running at [http://localhost:8080/ca-userprofiling-2.0-application/UBPServlet


It mostly contains user information such as username, org, location information, device information etc.,