HTTPS and TLS Overview

Questions and Answers

What is one of the key points in how HTTPS works?

• Server verifies Client via Certificate issued by a Certificate Authority (CA) (correct)
• Domain Validation (DV) is optional in obtaining a TLS Certificate
• Server and Client both use symmetric encryption throughout the connection
• TLS Certificates can be forged easily

What is the main difference between obtaining a free and paid TLS Certificate?

• Paid Certificates last for a maximum of 90 days
• Free Certificates require detailed company verification
• The domain ownership requirement is only for the paid Certificates (correct)
• Encryption level differs between free and paid Certificates

Which type of domain validation is done for obtaining a free TLS Certificate?

• Extended Validation (EV)
• Person/Company Validation
• Organization Validation (OV)
• Domain Validation (DV) (correct)

Why are TLS Certificates recommended for E-Commerce sites, particularly those collecting credit card information?

To provide a secure connection and warranty coverage (C)

What does the text mention about Let's Encrypt and Comodo SSL?

Let's Encrypt only offers Domain Validation (DV) Certificates (B)

Why are free TLS Certificates particularly suitable for small, personal sites with no e-commerce functionalities?

They are good for sites that do not involve e-commerce functionalities (C)

Which Argon2 variant is recommended by OWASP due to its hybrid approach?

Argon2id (C)

What is a key characteristic of Argon2d in terms of resistance?

Resistant to GPUs (C)

What is a common misconception about storing credit card numbers according to the security standards?

It is essential to use a properly audited third-party service for credit card storage (A)

In the context of web security, what is the recommended option if the complexity seems overwhelming?

Use a web security library (B)

What is a unique characteristic of Argon2 in terms of usability?

Demands careful fine-tuning for optimal performance (A)

What is a common method for recovering passwords in web applications?

Using a set of secret questions and answers (A)

What is the main issue with storing secret question answers in plain text?

Answers can be found through social media (C)

What security measure can help prevent a brute-force attack on passwords?

Limiting login attempts (D)

How does encrypting secret question answers help improve security?

It prevents hackers from using social media to find the answers (A)

What is the purpose of using a complex password policy?

To make passwords more difficult to guess (B)

What is a dictionary attack in the context of password security?

An attack that uses a list of common passwords to guess a user's password (D)

What is a potential drawback of using an Authentication Service?

It may lead to vendor lock-in (D)

What is a potential advantage of building your own authentication system?

No vendor lock-in issues (B)

What is a downside of using a library like Passport.js or Lucia for authentication?

They are not well-maintained (C)

Why might an enterprise app or e-commerce site prefer using an Authentication Service?

They are more secure (A)

What is a potential issue with building your own authentication system for a small, non-commerce site?

It may not be secure enough (D)

What is a reason why Lucia is popular for use with Next.js?

It works well with Next.js (B)

What is a common method used by hackers to crack passwords?

Rainbow table attack (A)

What is the purpose of a salt in password hashing?

To produce different hashes for the same passwords (C)

What is a disadvantage of using a salt in password hashing?

An attacker could generate a rainbow table for each user once they obtain the salt (C)

What is a complex password policy?

A policy that prevents users from choosing common words for passwords (A)

What is two-factor authentication?

A method that requires users to enter a password and a verification code sent to their phone or email (A)

How does a hacker crack a password using a rainbow table?

By comparing the hashed values of common passwords to a user's hashed password (A)

Flashcards

HTTPS Key Point

Server verifies Client via Certificate issued by a Certificate Authority (CA).

Free vs. Paid TLS

Paid TLS Certificates require domain ownership proof, while free ones may not.

Free TLS Validation

Domain Validation (DV) is used for free TLS Certificates.

TLS for E-Commerce

TLS Certificates secure connections and may offer warranty coverage.

Let's Encrypt Certificates

Let's Encrypt only offers Domain Validation (DV) Certificates.

Free TLS Certificates Use Cases

Suitable for sites that do not involve e-commerce functionalities.

OWASP's Argon2 Choice

Argon2id is recommended by OWASP due to its hybrid approach.

Argon2d Resistance

Argon2d is designed to resist GPU-based attacks.

Storing Credit Cards

It's essential to use a properly audited third-party service for credit card storage.

Overwhelmed by Security?

Use a web security library.

Argon2 Usability

Argon2 demands careful fine-tuning for optimal performance.

Password Recovery

Using a set of secret questions and answers.

Plain Text Secret Answers Risk

Answers can be found through social media.

Brute-Force Prevention

Limiting login attempts.

Encrypting Secret Answers

It prevents hackers from using social media to find the answers.

Complex Password Policy

To make passwords more difficult to guess.

Dictionary Attack

An attack that uses a list of common passwords to guess a user's password.

Auth Service Downside

It may lead to vendor lock-in.

DIY Auth Advantage

No vendor lock-in issues.

Passport.js/Lucia Problem

They are not well-maintained.

Auth Service for Enterprise

They are more secure.

DIY Auth Risk

It may not be secure enough.

Lucia's Popularity

It works well with Next.js.

Hackers Common Method

Rainbow table attack.

Salt Purpose

To produce different hashes for the same passwords.

Salt Disadvantage

An attacker could generate a rainbow table for each user once they obtain the salt.

Complex Password Policy

A policy that prevents users from choosing common words for passwords.

Two-Factor Authentication

A method that requires users to enter a password and a verification code sent to their phone or email.

Rainbow Table Hack

By comparing the hashed values of common passwords to a user's hashed password.