Exam CAS-004 topic 1 question 31 discussion

The answer is D. Cert Pinning. If we are trying to defend against HTTPS interception and we are already using HTTPS (TLS1.2) why would we want HSTS? All HSTS does is enforce the use of HTTPS. This would be great to defend against attacks like Cert Downgrading, but not HTTPS interception attacks. These attacks are designed to work against HTTPS, what would ensure we use HTTPS do for us in this case? Both HSTS and Cert Pinning are security controls! But HSTS ensures HTTPS while Cert pinning enhances HTTPS.

"How it works Pinning allows for a trusted copy of a certificate or public key to be associated with a server and thus reducing the likelihood of frequently visited sites being subjected to man-in-the-middle attacks. Certificates or public keys can be pinned after a trusted connection has been established or the pinning can be preloaded in an application, which is the preferred method for mobile applications." https://d3fend.mitre.org/technique/d3f:CertificatePinning/

According to Jason Dion, certificate pinning "is no longer considered secure and should not be used".

The key words here are "mobile application". This is not a browser and app can be configured by the company.

HSTS is the HTTP Strict Transport Security web security policy and this is going to be used to protect your website against protocol downgrade attacks and cookie hijacking. It going to allow web servers to declare that web browsers or other compliant user agents should only interact with that server using secure HTTPS connections and never through insecure HTTP protocols. Certificate Pinning or Public Key Pinning is a security mechanism which allows HTTPS website to resist impersonation by attackers using miss-issued or otherwise fraudulent certificates. So with this illustration, Option D is the answer to the question.

C is correct

Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Correct Answer is D. "Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. " you can read full article: https://www.cisa.gov/news-events/alerts/2017/03/16/https-interception-weakens-tls-security certificate pinning, would be the BEST solution against HTTPS interception attacks in this scenario.

The BEST solution against HTTPS interception attacks is certificate pinning. Certificate pinning is a technique where the client application hardcodes the server's certificate or public key to ensure that only that certificate or key is trusted. This means that if an attacker tries to intercept the traffic and replace the certificate with a different one, the client will detect the difference and refuse to communicate with the attacker's server. Option A (cookies) and Option B (wildcard certificates) are not related to HTTPS interception attacks. Option C (HSTS) is a security feature that forces the client to always communicate with the server over HTTPS, but it does not prevent HTTPS interception attacks. Therefore, Option D (certificate pinning) is the correct answer.

Question states they are already using HTTPS, so HSTS doesn't really help. Certificate pinning is used to prevent attacks from intercepting. https://expeditedsecurity.com/blog/what-is-certificate-pinning/

First: HSTS stands for HTTP Strict Transport Security, it's a web security policy mechanism that forces web browsers to interact with websites only via secure HTTPS connections (and never HTTP second: Certificate pinning is an online application security technique, originally devised as a means of thwarting man-in-the-middle attacks (MITM), that accepts only authorized (“pinned”) certificates for authentication of client-server connections correct answer is C, Certificate pinning

C, because HTST will enforce using HTTPS

C, HSTS Cert pinning is deprecated

The answer is C https://https.cio.gov/hsts/

answer is C