# Usage of naive Socket class to create SSL Socket

## Overview

* **Rule ID**: `java_lang_socket_init`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-319

## Description

Using the naive Socket class to create SSL sockets compromises security. Directly creating SSL sockets with `new Socket()` lacks the advanced security features provided by `SSLSocketFactory`. `SSLSocketFactory` is designed with SSL/TLS protocols in mind, offering encryption, hostname verification, and trust manager configuration, making it a more secure option for creating SSL sockets.

## Remediation Guidelines

* **Avoid** using `java.net.Socket` to directly create SSL sockets due to its limited security capabilities.
* **Use** SSLSocketFactory to create SSL sockets, ensuring the use of SSL/TLS protocols and other security enhancements.

  ```java
  SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
  SSLSocket socket = (SSLSocket) sslSocketFactory.createSocket(socket, host, port, true);

  ```

## References

* [**OWASP Transport Layer Security Cheat Sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Security_Cheat_Sheet.html)
* [**CWE-319: Cleartext Transmission of Sensitive Information**](https://cwe.mitre.org/data/definitions/319.html)
* [**OWASP Top 10: A02:2021 - Cryptographic Failures**](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)