HTTPS and TLS Overview

Questions and Answers

PDF Questions PDF Answers

What is one of the key points in how HTTPS works?

Server verifies Client via Certificate issued by a Certificate Authority (CA) (correct)

Domain Validation (DV) is optional in obtaining a TLS Certificate

Server and Client both use symmetric encryption throughout the connection

TLS Certificates can be forged easily

What is the main difference between obtaining a free and paid TLS Certificate?

Paid Certificates last for a maximum of 90 days

Free Certificates require detailed company verification

The domain ownership requirement is only for the paid Certificates (correct)

Encryption level differs between free and paid Certificates

Which type of domain validation is done for obtaining a free TLS Certificate?

Extended Validation (EV)

Person/Company Validation

Organization Validation (OV)

Domain Validation (DV) (correct)

Why are TLS Certificates recommended for E-Commerce sites, particularly those collecting credit card information?

To provide a secure connection and warranty coverage

What does the text mention about Let's Encrypt and Comodo SSL?

Let's Encrypt only offers Domain Validation (DV) Certificates

Why are free TLS Certificates particularly suitable for small, personal sites with no e-commerce functionalities?

They are good for sites that do not involve e-commerce functionalities

Which Argon2 variant is recommended by OWASP due to its hybrid approach?

Argon2id

What is a key characteristic of Argon2d in terms of resistance?

Resistant to GPUs

What is a common misconception about storing credit card numbers according to the security standards?

It is essential to use a properly audited third-party service for credit card storage

In the context of web security, what is the recommended option if the complexity seems overwhelming?

Use a web security library

What is a unique characteristic of Argon2 in terms of usability?

Demands careful fine-tuning for optimal performance

What is a common method for recovering passwords in web applications?

Using a set of secret questions and answers

What is the main issue with storing secret question answers in plain text?

Answers can be found through social media

What security measure can help prevent a brute-force attack on passwords?

Limiting login attempts

How does encrypting secret question answers help improve security?

It prevents hackers from using social media to find the answers

What is the purpose of using a complex password policy?

To make passwords more difficult to guess

What is a dictionary attack in the context of password security?

An attack that uses a list of common passwords to guess a user's password

What is a potential drawback of using an Authentication Service?

It may lead to vendor lock-in

What is a potential advantage of building your own authentication system?

No vendor lock-in issues

What is a downside of using a library like Passport.js or Lucia for authentication?

They are not well-maintained

Why might an enterprise app or e-commerce site prefer using an Authentication Service?

They are more secure

What is a potential issue with building your own authentication system for a small, non-commerce site?

It may not be secure enough

What is a reason why Lucia is popular for use with Next.js?

It works well with Next.js

What is a common method used by hackers to crack passwords?

Rainbow table attack

What is the purpose of a salt in password hashing?

To produce different hashes for the same passwords

What is a disadvantage of using a salt in password hashing?

An attacker could generate a rainbow table for each user once they obtain the salt

What is a complex password policy?

A policy that prevents users from choosing common words for passwords

What is two-factor authentication?

A method that requires users to enter a password and a verification code sent to their phone or email

How does a hacker crack a password using a rainbow table?

By comparing the hashed values of common passwords to a user's hashed password