Which of the following is true about the main difference between a web session that uses port 80
and one that uses port 443?
A.
Port 80 web sessions often use application-level encryption, while port 443 sessions often use
transport-level encryption.
B.
Port 80 web session cannot use encryption, while port 443 sessions are encrypted using web
certificates.
C.
Port 80 web sessions can use web application proxies, while port 443 sessions cannot traverse
web application proxies.
D.
Port 80 web sessions are prone to man-in-the-middle attacks, while port 443 sessions are
immune from man-in-the-middle attacks.
Explanation:
Correct answer should be “B”. Port 80 never uses any kind of encryption and 443 is not a transport layer but a session layer protocol.
This is a badly worded question and answer. Port 443 sessions don’t “often” use encryption. They always use transport layer encryption.
Answer B is not a great answer because sessions are not encrypted with a “web certificate”. The web certificate is only used to establish a session key which is then used to encrypt the session.
Answer C is not a great answer because SSL/TLS can traverse a proxy if everything is properly configured.
Answer D is not a great answer because SSL/TLS does not 100% guarantee you are free from MITM attacks. Implementation details are important in the prevention of MITM.
If you read the part that says “application-level encryption” this is associating the traffic going through port 80 is encrypted at the application level in the OSI layer model. Sure it’s badly worded but you are choosing what part you want to read and ignoring the key words.
I swear both the certification test and simulation tests are made by people who don’t know how to ask a question correctly. I got an answer wrong on my cert test that i knew was correct 100% even looked it up to verify it along with my networking professor. These tests need to be in plain english that everyone can understand.
Agreed {nodding in comprehension}
You are 100% correct. Just like how the CompTIA Certmaster which costs $100 to take has a question asking how to stop a DDOS and the answer is “Wait for it to finish”, which is a complete joke. There are so many ways to mitigate a DOS, and “waiting for it to finish” is not anywhere near the best answer. The n+ also has a bunch of questions that are filled with bad grammar and poor sentence structure.
My vote is 99% for B as 443 sessions are not IMMUNE from man-in-the-middle attack. With Advance Persistent Threats on the rise a 443 session can also be intercepted.
Still having some issues understanding this…Port 80 is HTTP, which I know is the presentation layer. But 443 is HTTPS which is supposedly in the Transport layer, with TCP and UDP? Quite confused. I’m searching for OSI model explanations, and none of them seem to list HTTPS in the Transport layer…Anyone able to clarify?