A user experiences an HTTPS connection error when trying to access an Internet banking website from a corporate laptop. The user then opens a browser on a mobile phone and is able to access the same Internet banking website without issue. Which of the following security configurations is MOST likely the cause of the error?
The user experience described indicates an issue related to HTTPS connections on the corporate laptop. Certificate pinning is a security measure that allows a client to only accept a certain predefined certificate when connecting to a server. If the user's corporate laptop has a stricter certificate pinning configuration and therefore does not trust the certificate of the banking website, while the mobile phone does not have this restriction and is able to connect without issue, it would result in the described scenario. This makes certificate pinning the most likely cause of the error.
It is likely that the cause of the error is certificate pinning, which is a security feature that allows a client device to verify the authenticity of a server's certificate by comparing it to a predetermined set of trusted certificates. If the certificate presented by the server does not match one of the trusted certificates, the client will experience an HTTPS connection error. It is possible that the corporate laptop has a different set of trusted certificates than the mobile phone, which is why the user was able to access the Internet banking website on the mobile phone but not on the corporate laptop.
Is browser based and is created by HSTS, when you reset it the problem goes away. Also answer is A in another test bank. Check the link for more info https://help.siteimprove.com/support/solutions/articles/80000489888-clearing-hsts-settings-to-fix-a-too-many-redirects-page-report-error
D - Not relevant C - Certificate pining does not make sense for accessing a bank website. Why would the bank only allow trusted clients to access. B - If the bank is running TLS1.2 and the company does not allow that or if the company only supports TLS 1.2 and the back is using 1.3, then that could cause errors A - HSTS is a protocol to upgrade from HTTP to HTTPS, but it is sent from the site to the browser, not a setting on the browser
A correct answer
A is the correct answer
In this scenario, the user's corporate laptop may have cached the HSTS policy and attempted to access the website over HTTPS, resulting in a connection error if there's an issue with the HTTPS configuration. On the other hand, the mobile phone's browser may not have cached the HSTS policy, allowing the user to access the HTTP version of the website without issue. Therefore, the most likely cause of the error in this case is A. HSTS (HTTP Strict Transport Security).
This question was tricky because of the various maybe's of the corporate laptop. The type of organization is up to interpretation by the reader. The organization could have old computers, a small number of users, not a mature security program, or it could be quite the opposite. This is why I feel that the answers vary as much as they do. Chat GPT says A (HSTS)and all the test banks do as well. However, the Microsoft AI says B, TLS 1.2. This makes the decision difficult, but trying to focus on the corporate portion and the date of the latest revision of the test (past year or so) to think about modern techniques and common issues in 2022 instead of when HSTS was first implemented, July 26, 2016, by Google.
Looking up what techniques are listed between A, B, and C are feasible and common, I came up with B, Tls 1.2. Based on my experience, there are many issues when the wrong TLS boxes are checked, and corporate laptops always mess with those. Certificate Pinning isn't that common; imagine ONLY using certs you say are good. Your users would be clamoring daily to the help desk and the overhead for the Active Directory team to manage the CRL would be insane. HSTS is a normal thing configured pretty smoothly and honestly doesn't come up as an issue in the large enterprise I work at; it is now well past 2016 when we first saw this rollout. Therefore, I'm going against the grain and being the ONLY person that picks B.
Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
just using SSL and HTTPS doesn't fully protect your data. Instead, certificate pinning currently tops the list of ways to make your application traffic secure. and it looks like the corporation laptop browser is not capable of doing so but mobile OSs on the other hand allow for Certificate pinning. This helps thwart man-in-the-middle attacks https://www.youtube.com/watch?v=is8lHjEkk7U
when you gonna test
Answer maybe A From the book: HTTP Strict Transport Security (HSTS) As you know, HTTP is a plaintext protocol, so when security is an issue (and when isn’t it?), HTTPS should be used. However, even when you require HTTPS, it is sometimes possible for hacker to force a client to use HTTP instead; this is called a downgrade attack. HTTP Strict Transport Security (HSTS) is policy mechanism that prevents such attacks and several other types as well. When using HSTS, a web server informs web browsers (or other user agents) that they should automatically interact with it using only HTTPS connections.
B., could be any, but B makes more sense, for HSTS directives 301 & 307 is likely to be already set in the server and client, certificate pinning is more associated to applications, I guess Portals is more associated with certificate staple.
Answare: C See this: https://www.ssls.com/blog/the-problem-with-certificate-pinning/#:~:text=While%20certificate%20pinning%20doesn%27t,clients%20could%20experience%20service%20interruption.
Corporate network is probably using SSL decryption to analyze traffic for all things malicious and/or DLP. SSL decryption doesn't work with sites using certificate pinning because to SSL decrypt you must use a different cert for MITM to decrypt.
Certificate pinning - This is the practice of associating a host with a specific certificate. If the corporate laptop's browser or its security software detects a different certificate (even if it's valid), it will block the connection. This is likely the reason, especially if the corporate laptop has some security tools or policies in place that enforce or monitor certificate pinning. The mobile phone wouldn't have this same restriction, so it can access the site without issue.
The MOST likely security configuration causing the HTTPS connection error when trying to access the Internet banking website from the corporate laptop is: A. HSTS (HTTP Strict Transport Security). HSTS is a security feature that enforces the use of HTTPS for web connections. When a website is configured with HSTS, it instructs the user's browser to only use secure, encrypted connections (HTTPS) when communicating with the site. If the corporate laptop's browser has encountered an issue with HSTS settings, it could prevent the connection to the Internet banking website via HTTPS, resulting in an error.
if you read the question well, it say he is trying to access the web site using https, not http that the website can reject or downgrade attack, so the the only possible answer is C certificate pinning
Selected Answer: C
Ai says A
The HTTPS connection error suggests that there may be an issue with the laptop's security configuration. One possible cause of the error could be the HSTS (HTTP Strict Transport Security) configuration, which enforces the use of HTTPS by instructing the browser to only communicate with the website over a secure connection. If the corporate laptop is misconfigured or outdated and does not support HSTS, it may prevent the user from accessing the website over HTTPS. The fact that the mobile phone was able to access the website without issue suggests that the website is not misconfigured. Therefore, option A, HSTS, is the MOST likely cause of the error.