A new web server must comply with new secure-by-design principles and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:
Which of the following ciphers should the security analyst remove to support the business requirements?
The cipher suite TLS_DHE_DSS_WITH_RC4_128_SHA should be removed because it uses the RC4 encryption algorithm, which is considered insecure and deprecated due to known vulnerabilities. Continuing to use RC4 undermines the secure-by-design principles and does not comply with PCI DSS requirements aimed at mitigating the risk of on-path attacks.
In the past, RC4 was advised as a way to mitigate BEAST attacks. However, due to the latest attacks on RC4, Microsoft has issued an advisory against it. The PCI DSS also prohibits the use of the RC4 bulk cipher. https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/#:~:text=In%20the%20past%2C%20RC4%20was%20advised%20as%20a,prohibits%20the%20use%20of%20the%20RC4%20bulk%20cipher.
TLS 1.1 uses RC4 so its the most outdated of all the choices. Answer is B
RC4 is deprecated
RC4 is the clue here.
Think it's B. Because it says just 'SHA' at the end, which implies SHA 1
This document requires that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections.
B. Is the answer. Additionally, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed. https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
This is the only reference I could find: https://datatracker.ietf.org/doc/html/rfc7465 This document requires that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections.
RC4 is depricated.
This cipher suite uses RC4 encryption, which is considered insecure and has known vulnerabilities that make it susceptible to attacks. The RC4 algorithm has been deprecated and should not be used in any secure communications. Removing this cipher suite aligns with secure-by-design principles and PCI DSS requirements.
B is correct Touch me at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3f525053534611585e4d4b5a517f504a4b53505054115c5052">[email protected]</a> to get all questions
RC4 is BAD! Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
WHEN DO YOU TAKE THE EXAM
He already took it and passed.
The TLS_DHE_DSS_WITH_RC4_128_SHA cipher should be removed from the web server configuration since it uses the insecure RC4 encryption algorithm, which is vulnerable to on-path attacks. Therefore, the answer is B.
B is the only unsecure
Where is the contributor admins on these questions. Is clearly B yet we have trolls selecting the wrong answers.
Can someone explain why? Thanks!