A customer reports being unable to connect to a website at www.test.com to consume services. The customer notices the web application has the following published cipher suite:
Which of the following is the MOST likely cause of the customer's inability to connect?
The most likely cause of the customer's inability to connect is weak ciphers being used. The provided cipher suites, which include TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, are considered weak due to their susceptibility to certain attacks, such as the BEAST attack and other vulnerabilities like Zombie POODLE and GOLDENDOODLE. Weak ciphers can prevent secure connections, hence causing connectivity issues.
A) "SHA-256 is not a secure password hashing algorithm" ECDSA is not mentioned.
https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/ has quite a few weaknesses. when looking up ECDSA and connection issues, it says that the cipher suite of ECDSA is TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 So because the published application suite that the user is trying to connect to is stating RSA cipher, it's probable that it's because it is weak. RSA cipher suites don't work without a RSA Public key. https://serverfault.com/questions/1050808/tls-1-2-with-rsa-vs-ecdsa-ciphers
Also, due to "The decision on which cipher suite will be used depends on the web server. The agreed cipher suite is a combination of: Key exchange algorithms, such as RSA, DH, ECDH, DHE, ECDHE, or PSK Authentication/Digital Signature Algorithm, like RSA, ECDSA, or DSA Bulk encryption algorithms, like AES, CHACHA20, Camellia, or ARIA Message Authentication Code algorithms, such as SHA-256, and POLY1305" https://www.keyfactor.com/blog/cipher-suites-explained/ Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
I'd guess A - read this: https://ciphersuite.info/cs/TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384/ It is clear, that CBC is not recommended for use for a long time...
OK, we all agree that this is a weak cipher suite (see the link below). But, that's not the question. The question is about the "inability to connect". Look at the below link and you will see that ECDSA is used to authenticate. You can connect to a weak cipher suite but if you're missing the signature algorithm... https://ciphersuite.info/cs/TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384/
https://community.progress.com/s/article/unable-to-connect-to-site-externally-weak-cipher-or-http2-error
In practice, a RSA key will work everywhere. ECDSA support is newer, so some old client or server may have trouble with ECDSA keys. I will go for "A" reference: https://security.stackexchange.com/questions/23383/ssh-key-type-rsa-dsa-ecdsa-are-there-easy-answers-for-which-to-choose-when
I go for A: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 is labled a weak on ciphersuite.info
C can't be the answer since port 80 is plain text communication while 443 is the cipher communication. Website is set to default to port 443 so i can successfully communicate in the cipher stated above.
I think it is A. Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.
Here is more information. https://community.progress.com/s/article/unable-to-connect-to-site-externally-weak-cipher-or-http2-error https://community.progress.com/s/article/unable-to-connect-to-site-externally-weak-cipher-or-http2-error
The answer is A. https://ciphersuite.info/search/?q=TLS_RSA_WITH_AES_256_CBC_SHA256
A) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 are both considered weak cipher suites. May be vuln to BEAST attack since they are 1.2 TLS
C and D are not valid answers. for why C is not a valid answer check this link on how to handle https redirect https://stackoverflow.com/questions/13376219/htaccess-redirect-http-to-https Leaning towards A since is similar behavior as cipher mismatch. cipher used is TLS 1.2 and client might be using TLS 1.3 connection. Again CompTIA doing its miss direction.
From the link you sent, I followed it to https://cwiki.apache.org/confluence/display/httpd/RedirectSSL. Wouldn't this prove that D is the answer? NameVirtualHost *:80 <VirtualHost *:80> ServerName www.example.com Redirect / https://secure.example.com/ </VirtualHost> <VirtualHost _default_:443> ServerName secure.example.com DocumentRoot /usr/local/apache2/htdocs SSLEngine On # etc... </VirtualHost>
Nvm, I believe A is the answer. I remembered that I have used old government websites that needed to have TLS 1.0 enabled in order to connect. I specifically had to go into IE settings and enable them for the website to work.
B is correct. A: These are are strong ciphers and are generally considered secure. C:The configuration correctly redirects HTTP traffic (port 80) to HTTPS (port 443), which is standard practice. D:The server name configuration www.test.com matches the standard expected URL format
A is correct You can get all questions from me at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4f222023233661282e3d3b2a210f203a3b23202024612c2022">[email protected]</a>
Based on the provided information, the MOST likely cause of the customer's inability to connect is: B. The public key should be using ECDSA.
I agree, the correct answer is 'C'. refer to the following link and scroll down to 'recommendation' section for explanation. https://technology.amis.nl/security-2/ssltls-choose-cipher-suite/
I agree, the correct answer is 'C'. refer to the following link and scroll down to 'recommendation' section for explanation.