1. What is the primary purpose of SSL/TLS?
A) Encrypting data at rest
B) Providing secure communication over a network
C) Ensuring high-speed data transfer
D) Preventing phishing attacks
β
Answer: B) Providing secure communication over a network
π Explanation: SSL/TLS encrypts data in transit between a client and server, preventing eavesdropping, tampering, and man-in-the-middle attacks.
2. Which protocol has effectively replaced SSL due to security vulnerabilities?
A) TLS
B) HTTP
C) SSH
D) IPsec
β
Answer: A) TLS
π Explanation: TLS (Transport Layer Security) is the successor to SSL, offering enhanced security features and addressing SSLβs vulnerabilities.
3. What is the main difference between TLS 1.2 and TLS 1.3?
A) TLS 1.3 introduces more cipher suites
B) TLS 1.3 removes insecure algorithms and reduces handshake overhead
C) TLS 1.3 is slower than TLS 1.2
D) TLS 1.3 does not support encryption
β
Answer: B) TLS 1.3 removes insecure algorithms and reduces handshake overhead
π Explanation: TLS 1.3 improves performance by removing legacy cryptographic algorithms and reducing handshake steps, making it more secure and faster.
4. What type of encryption is used in TLS for data transmission?
A) Symmetric encryption
B) Asymmetric encryption
C) Hashing
D) Plaintext transmission
β
Answer: A) Symmetric encryption
π Explanation: TLS uses symmetric encryption (AES, ChaCha20, etc.) for fast and efficient data transmission after an initial asymmetric key exchange.
5. Which key exchange algorithm is commonly used in TLS 1.3?
A) RSA
B) Diffie-Hellman
C) Elliptic Curve Diffie-Hellman (ECDHE)
D) Blowfish
β
Answer: C) Elliptic Curve Diffie-Hellman (ECDHE)
π Explanation: TLS 1.3 primarily uses ECDHE for forward secrecy, ensuring session keys are unique for each session.
6. What is a common attack against SSL/TLS?
A) SQL Injection
B) Heartbleed
C) CSRF
D) ARP Spoofing
β
Answer: B) Heartbleed
π Explanation: Heartbleed was a major OpenSSL vulnerability that allowed attackers to read sensitive memory data from servers.
7. What is the purpose of an SSL/TLS certificate?
A) Encrypting data
B) Authenticating a websiteβs identity
C) Blocking malware
D) Improving server performance
β
Answer: B) Authenticating a websiteβs identity
π Explanation: SSL/TLS certificates verify a websiteβs authenticity and establish a secure connection between the client and server.
8. Which port is commonly used for HTTPS traffic secured by TLS?
A) 443
B) 80
C) 22
D) 53
β
Answer: A) 443
π Explanation: HTTPS, which uses SSL/TLS for security, runs on port 443 by default, whereas HTTP (unencrypted) runs on port 80.
9. What happens if a browser encounters an expired SSL certificate?
A) It redirects to an HTTP version
B) It blocks access and shows a security warning
C) It forces an automatic renewal
D) It encrypts the connection anyway
β
Answer: B) It blocks access and shows a security warning
π Explanation: Browsers warn users when an SSL certificate is expired or invalid, as it may indicate an insecure or malicious site.
10. What is the primary benefit of Perfect Forward Secrecy (PFS) in TLS?
A) Faster encryption
B) Protection against future decryption if private keys are compromised
C) Longer SSL certificate validity
D) Reduction in server load
β
Answer: B) Protection against future decryption if private keys are compromised
π Explanation: PFS ensures that even if an attacker obtains a serverβs private key, past communications cannot be decrypted.
11. What does TLS use to establish an encrypted session?
A) Static encryption keys
B) Handshake process
C) Private IP addresses
D) VPN tunnels
β
Answer: B) Handshake process
π Explanation: TLS performs a handshake process to exchange encryption keys and establish a secure session.
12. Which component of TLS ensures data integrity?
A) Public Key Infrastructure (PKI)
B) Cipher Suites
C) Message Authentication Code (MAC)
D) Digital Signatures
β
Answer: C) Message Authentication Code (MAC)
π Explanation: MACs ensure data integrity by detecting tampering during transmission.
13. Which of the following is NOT an encryption algorithm used in TLS?
A) AES
B) RSA
C) Blowfish
D) ChaCha20
β
Answer: C) Blowfish
π Explanation: TLS primarily uses AES and ChaCha20, while RSA is used for key exchange.
14. How does HTTPS differ from HTTP?
A) HTTPS is faster
B) HTTPS encrypts traffic with SSL/TLS
C) HTTPS only works with Chrome
D) HTTP is more secure than HTTPS
β
Answer: B) HTTPS encrypts traffic with SSL/TLS
π Explanation: HTTPS secures communication using SSL/TLS encryption, whereas HTTP transmits data in plaintext.
15. Which organization issues SSL/TLS certificates?
A) ICANN
B) Certificate Authorities (CAs)
C) IANA
D) Google
β
Answer: B) Certificate Authorities (CAs)
π Explanation: CAs (e.g., Letβs Encrypt, DigiCert, GoDaddy) issue and validate SSL/TLS certificates.
16. What is an Extended Validation (EV) SSL certificate?
A) A free SSL certificate
B) A self-signed certificate
C) A certificate with additional business verification
D) A certificate with the longest expiration date
β
Answer: C) A certificate with additional business verification
π Explanation: EV SSL certificates require stricter business verification, providing users with higher trust.
17. What is the role of the “Server Name Indication” (SNI) in TLS?
A) Preventing session hijacking
B) Allowing multiple SSL certificates on the same IP
C) Encrypting client requests
D) Stopping brute-force attacks
β
Answer: B) Allowing multiple SSL certificates on the same IP
π Explanation: SNI allows multiple domains to use different SSL certificates while sharing a single IP address.
18. Which hashing algorithm is considered insecure for TLS?
A) SHA-256
B) SHA-1
C) SHA-512
D) MD5
β
Answer: B) SHA-1
π Explanation: SHA-1 is vulnerable to collision attacks and is deprecated in modern cryptographic practices.
19. What does OCSP Stapling help with in TLS?
A) Faster revocation checks
B) Reducing handshake time
C) Strengthening encryption
D) Generating SSL certificates
β
Answer: A) Faster revocation checks
π Explanation: OCSP Stapling speeds up certificate revocation status checks without burdening Certificate Authorities.
20. What vulnerability did the POODLE attack exploit?
A) TLS 1.3
B) SSL 3.0
C) SHA-256
D) HTTPS Strict Transport Security (HSTS)
β
Answer: B) SSL 3.0
π Explanation: POODLE (Padding Oracle On Downgraded Legacy Encryption) exploited SSL 3.0βs fallback mechanisms, allowing an attacker to decrypt secure data.
21. What type of attack exploits weaknesses in SSL/TLS renegotiation?
A) BEAST
B) CRIME
C) BREACH
D) Renegotiation Attack
β
Answer: D) Renegotiation Attack
π Explanation: SSL/TLS renegotiation attacks exploit vulnerabilities in session renegotiation, potentially allowing a man-in-the-middle (MITM) attack.
22. In TLS, which record layer protocol is responsible for data encryption?
A) Handshake Protocol
B) Alert Protocol
C) Change Cipher Spec Protocol
D) Record Protocol
β
Answer: D) Record Protocol
π Explanation: The Record Protocol is responsible for encrypting and securely transmitting application data in TLS.
23. What does TLS use to prevent replay attacks?
A) Digital Signatures
B) Nonces
C) Session Identifiers
D) Timestamping
β
Answer: B) Nonces
π Explanation: TLS includes nonces (random numbers) in handshakes to prevent replay attacks by ensuring each session is unique.
24. Which attack forces HTTPS sites to fall back to HTTP, making them vulnerable?
A) Heartbleed
B) SSL Stripping
C) POODLE
D) BEAST
β
Answer: B) SSL Stripping
π Explanation: SSL Stripping downgrades HTTPS connections to HTTP, allowing attackers to intercept and manipulate unencrypted traffic.
25. Which protocol is commonly used to check the revocation status of an SSL/TLS certificate?
A) OCSP
B) TCP
C) DNS
D) ARP
β
Answer: A) OCSP
π Explanation: OCSP (Online Certificate Status Protocol) allows real-time checking of certificate revocation, replacing slow CRLs.
26. Which type of encryption does TLS use for session key exchange?
A) Symmetric encryption
B) Asymmetric encryption
C) One-time pad encryption
D) Hashing
β
Answer: B) Asymmetric encryption
π Explanation: TLS initially uses asymmetric encryption (RSA/ECDHE) to securely exchange symmetric encryption keys for the session.
27. Which TLS feature ensures each session has a unique encryption key?
A) Key Reuse
B) Forward Secrecy
C) Static Key Exchange
D) MAC (Message Authentication Code)
β
Answer: B) Forward Secrecy
π Explanation: Forward Secrecy ensures session keys are ephemeral, preventing past communications from being decrypted if private keys are leaked.
28. What is a self-signed SSL/TLS certificate?
A) A certificate issued by a trusted CA
B) A certificate signed by the website itself
C) A certificate that never expires
D) A wildcard certificate
β
Answer: B) A certificate signed by the website itself
π Explanation: Self-signed certificates are not validated by a trusted Certificate Authority (CA), making them insecure for public websites.
29. What is the main purpose of a wildcard SSL certificate?
A) To secure all subdomains of a domain
B) To prevent brute-force attacks
C) To improve TLS performance
D) To bypass OCSP validation
β
Answer: A) To secure all subdomains of a domain
π Explanation: Wildcard certificates secure all subdomains under a domain (e.g., *.example.com secures www.example.com, mail.example.com, etc.).
30. What does the BEAST attack exploit?
A) Weakness in CBC mode ciphers in TLS 1.0
B) Certificate validation flaws
C) HTTP downgrade mechanisms
D) Key exchange protocols
β
Answer: A) Weakness in CBC mode ciphers in TLS 1.0
π Explanation: BEAST (Browser Exploit Against SSL/TLS) targeted a CBC mode vulnerability in TLS 1.0, allowing attackers to decrypt HTTPS traffic.
31. What cryptographic algorithm does TLS 1.3 remove due to security issues?
A) AES-GCM
B) RSA key exchange
C) ChaCha20
D) SHA-512
β
Answer: B) RSA key exchange
π Explanation: TLS 1.3 removes RSA key exchange due to lack of forward secrecy, favoring ECDHE instead.
32. How does TLS handle multiple domain certificates securely?
A) By using Subject Alternative Name (SAN) fields
B) By issuing a certificate for each subdomain
C) By using static IP addresses
D) By requiring wildcard certificates
β
Answer: A) By using Subject Alternative Name (SAN) fields
π Explanation: SAN certificates allow a single certificate to secure multiple domain names (example.com, sub.example.com, etc.).
33. What does HTTPS Strict Transport Security (HSTS) do?
A) Forces browsers to use HTTPS
B) Encrypts cookies
C) Speeds up SSL/TLS handshakes
D) Prevents DNS spoofing
β
Answer: A) Forces browsers to use HTTPS
π Explanation: HSTS ensures browsers always connect via HTTPS, preventing downgrade attacks like SSL Stripping.
34. Why is TLS 1.0 considered insecure?
A) It uses outdated cryptographic algorithms
B) It does not support encryption
C) It does not work with modern browsers
D) It is slower than TLS 1.3
β
Answer: A) It uses outdated cryptographic algorithms
π Explanation: TLS 1.0 is deprecated due to vulnerabilities in CBC mode and weak cipher suites.
35. What is a primary disadvantage of RSA encryption in TLS?
A) It is not widely supported
B) It lacks forward secrecy
C) It is faster than ECC
D) It cannot be used for certificates
β
Answer: B) It lacks forward secrecy
π Explanation: RSA key exchange does not provide forward secrecy, meaning if the private key is compromised, past communications can be decrypted.
36. Which attack exploits compression-based vulnerabilities in TLS?
A) CRIME
B) Heartbleed
C) POODLE
D) Man-in-the-Middle
β
Answer: A) CRIME
π Explanation: CRIME (Compression Ratio Info-leak Made Easy) exploits TLS compression to extract encrypted data.
37. What does a TLS downgrade attack do?
A) Forces the use of a weaker TLS version
B) Upgrades connections to TLS 1.3
C) Replaces TLS with SSH
D) Blocks certificate validation
β
Answer: A) Forces the use of a weaker TLS version
π Explanation: Downgrade attacks force connections to use older, vulnerable TLS/SSL versions.
38. What protocol ensures the confidentiality of HTTPS traffic?
A) TLS
B) HTTP
C) SSH
D) ARP
β
Answer: A) TLS
π Explanation: TLS provides encryption, integrity, and authentication for HTTPS connections.
39. Why should SSL 3.0 no longer be used?
A) It does not support modern browsers
B) It is vulnerable to POODLE attacks
C) It is slower than TLS 1.3
D) It lacks encryption
β
Answer: B) It is vulnerable to POODLE attacks
π Explanation: SSL 3.0 is deprecated due to the POODLE vulnerability, which allows attackers to decrypt secure sessions.
40. What is the purpose of a Certificate Revocation List (CRL)?
A) To list expired certificates
B) To revoke compromised or invalid certificates
C) To validate certificate chains
D) To generate new TLS certificates
β
Answer: B) To revoke compromised or invalid certificates
π Explanation: CRLs maintain a list of revoked certificates to prevent their misuse.
41. What is the primary function of a Certificate Authority (CA) in SSL/TLS?
A) Encrypting website traffic
B) Verifying domain ownership and issuing digital certificates
C) Detecting network attacks
D) Managing firewall rules
β
Answer: B) Verifying domain ownership and issuing digital certificates
π Explanation: CAs issue SSL/TLS certificates and validate domain or business ownership to establish trust in secure communications.
42. What does the βChain of Trustβ in SSL/TLS refer to?
A) A sequence of network devices verifying encryption
B) A hierarchy of certificates leading back to a trusted root CA
C) A blockchain-based encryption method
D) A chain of encrypted data packets
β
Answer: B) A hierarchy of certificates leading back to a trusted root CA
π Explanation: The Chain of Trust ensures that a websiteβs certificate is validated through intermediate and root certificates issued by a trusted CA.
43. Which of the following is NOT a valid SSL/TLS certificate type?
A) Domain Validated (DV) Certificate
B) Organization Validated (OV) Certificate
C) Quantum Validated (QV) Certificate
D) Extended Validation (EV) Certificate
β
Answer: C) Quantum Validated (QV) Certificate
π Explanation: SSL/TLS certificates are categorized into DV, OV, and EV, but there is no Quantum Validated (QV) Certificate.
44. How does TLS ensure data integrity?
A) By encrypting data at the application layer
B) By using hashing algorithms such as HMAC
C) By splitting data into multiple encrypted packets
D) By using public-key cryptography
β
Answer: B) By using hashing algorithms such as HMAC
π Explanation: TLS uses HMAC (Hashed Message Authentication Code) to ensure data integrity by verifying that messages are not altered in transit.
45. What is the difference between RSA and ECDSA in SSL/TLS certificates?
A) RSA is faster than ECDSA
B) ECDSA provides the same security with smaller key sizes
C) RSA is used only for symmetric encryption
D) ECDSA cannot be used for digital signatures
β
Answer: B) ECDSA provides the same security with smaller key sizes
π Explanation: Elliptic Curve Digital Signature Algorithm (ECDSA) is more efficient than RSA because it provides the same security with smaller key sizes.
46. What is the default expiration period for Letβs Encrypt SSL certificates?
A) 30 days
B) 90 days
C) 1 year
D) 2 years
β
Answer: B) 90 days
π Explanation: Letβs Encrypt issues SSL certificates with a 90-day validity to encourage automation and enhance security.
47. Which component of TLS prevents replay attacks?
A) Padding schemes
B) Nonces and sequence numbers
C) Session caching
D) OCSP stapling
β
Answer: B) Nonces and sequence numbers
π Explanation: TLS uses nonces (random values) and sequence numbers to ensure each session is unique and to prevent replay attacks.
48. What does a Root Certificate Authority (Root CA) do?
A) Issues certificates directly to end-users
B) Issues certificates to Intermediate Certificate Authorities
C) Encrypts all TLS traffic globally
D) Stores private keys for all SSL certificates
β
Answer: B) Issues certificates to Intermediate Certificate Authorities
π Explanation: A Root CA issues certificates to Intermediate CAs, which then issue end-user certificates.
49. What is the primary function of the TLS Alert Protocol?
A) Initiating TLS handshakes
B) Notifying peers of security-related issues
C) Encrypting the data payload
D) Generating digital signatures
β
Answer: B) Notifying peers of security-related issues
π Explanation: The TLS Alert Protocol is used to send warnings or fatal error messages when security issues occur.
50. What happens when a browser encounters a self-signed SSL certificate?
A) The connection is established securely
B) The browser displays a warning message
C) The certificate is automatically trusted
D) The website is blocked
β
Answer: B) The browser displays a warning message
π Explanation: Browsers warn users about self-signed certificates because they are not verified by a trusted CA.
51. What is the purpose of an Intermediate Certificate Authority (CA)?
A) To issue and validate SSL certificates on behalf of a Root CA
B) To store private keys for SSL/TLS encryption
C) To enforce HTTP Strict Transport Security (HSTS)
D) To detect SSL/TLS vulnerabilities
β
Answer: A) To issue and validate SSL certificates on behalf of a Root CA
π Explanation: Intermediate CAs issue SSL certificates, reducing the risk of exposing Root CA private keys.
52. What type of SSL certificate is required to secure multiple domains under a single certificate?
A) Wildcard Certificate
B) Multi-Domain (SAN) Certificate
C) Self-Signed Certificate
D) Extended Validation (EV) Certificate
β
Answer: B) Multi-Domain (SAN) Certificate
π Explanation: A SAN (Subject Alternative Name) certificate secures multiple domains under one SSL certificate.
53. Which TLS extension helps prevent SNI-based censorship?
A) OCSP Stapling
B) Encrypted Client Hello (ECH)
C) Perfect Forward Secrecy
D) TLS Session Resumption
β
Answer: B) Encrypted Client Hello (ECH)
π Explanation: ECH encrypts the Server Name Indication (SNI) field to prevent censorship and surveillance by attackers.
54. What does SSL Offloading do?
A) Moves SSL/TLS encryption and decryption to a dedicated device
B) Stores SSL certificates on end-user devices
C) Prevents brute-force attacks
D) Encrypts database connections
β
Answer: A) Moves SSL/TLS encryption and decryption to a dedicated device
π Explanation: SSL Offloading reduces server load by handling encryption at a dedicated load balancer or appliance.
55. What is the main advantage of TLS Session Resumption?
A) It improves security against MITM attacks
B) It speeds up repeated TLS handshakes
C) It enforces strict certificate validation
D) It blocks phishing websites
β
Answer: B) It speeds up repeated TLS handshakes
π Explanation: TLS Session Resumption reduces handshake time, improving performance for repeated connections.
56. Why is TLS 1.3 considered more secure than TLS 1.2?
A) It introduces new compression algorithms
B) It removes weak cryptographic algorithms
C) It enforces HTTP/2 usage
D) It requires certificate pinning
β
Answer: B) It removes weak cryptographic algorithms
π Explanation: TLS 1.3 eliminates RSA key exchange, SHA-1, and old ciphers, making it more secure.
57. What is the primary reason to use DNS over HTTPS (DoH)?
A) To prevent DNS spoofing attacks
B) To encrypt website content
C) To speed up SSL/TLS handshakes
D) To replace TCP/IP
β
Answer: A) To prevent DNS spoofing attacks
π Explanation: DoH encrypts DNS queries, preventing man-in-the-middle and spoofing attacks.
58. What is the function of TLS False Start?
A) It reduces handshake latency by sending encrypted data sooner
B) It forces clients to use TLS 1.3
C) It encrypts TLS certificates
D) It prevents downgrade attacks
β
Answer: A) It reduces handshake latency by sending encrypted data sooner
π Explanation: TLS False Start sends encrypted data before the handshake completes, improving speed.
59. What is Key Pinning in SSL/TLS?
A) Preloading a specific public key for a domain
B) Encrypting the TLS handshake
C) Preventing TLS session reuse
D) Automating certificate renewal
β
Answer: A) Preloading a specific public key for a domain
π Explanation: Public Key Pinning (HPKP) ensures a client only accepts a predefined public key to prevent impersonation attacks.
60. What is the primary goal of TLS 1.3βs Zero Round Trip Time (0-RTT)?
A) Faster TLS connections
B) Stronger encryption
C) Improved certificate validation
D) Multi-factor authentication
β
Answer: A) Faster TLS connections
π Explanation: 0-RTT allows clients to resume secure sessions without full handshakes, improving performance.
61. What is the primary purpose of the TLS Finished message in the handshake process?
A) To verify that the handshake was completed successfully
B) To initiate encryption for the session
C) To generate session keys
D) To send the serverβs certificate
β
Answer: A) To verify that the handshake was completed successfully
π Explanation: The Finished message in TLS confirms that the handshake was successful and prevents tampering with the handshake messages.
62. Which of the following is NOT part of a typical TLS cipher suite?
A) Key exchange algorithm
B) Hashing function
C) Compression method
D) Symmetric encryption algorithm
β
Answer: C) Compression method
π Explanation: TLS does not use compression by default due to vulnerabilities like CRIME, which exploited compression-based side-channel leaks.
63. Why is disabling older TLS versions (1.0 and 1.1) recommended?
A) They do not support AES encryption
B) They are no longer considered secure
C) They are not compatible with modern web applications
D) They do not support server authentication
β
Answer: B) They are no longer considered secure
π Explanation: TLS 1.0 and 1.1 have known vulnerabilities and lack modern cryptographic enhancements, making them insecure.
64. What is the primary advantage of Elliptic Curve Cryptography (ECC) in SSL/TLS?
A) It is more resistant to attacks
B) It requires smaller key sizes for the same level of security
C) It does not require certificate authorities
D) It can only be used for symmetric encryption
β
Answer: B) It requires smaller key sizes for the same level of security
π Explanation: ECC provides the same level of security as RSA with much smaller key sizes, improving performance.
65. What is the primary purpose of the Change Cipher Spec message in TLS?
A) To indicate the switch from unencrypted to encrypted communication
B) To initiate a new TLS session
C) To downgrade to a lower encryption level
D) To verify the SSL certificate
β
Answer: A) To indicate the switch from unencrypted to encrypted communication
π Explanation: The Change Cipher Spec message tells the client and server to begin using encryption for communication.
66. Which TLS extension is used to provide encryption to the Server Name Indication (SNI)?
A) OCSP Stapling
B) Encrypted Client Hello (ECH)
C) TLS False Start
D) Perfect Forward Secrecy
β
Answer: B) Encrypted Client Hello (ECH)
π Explanation: ECH encrypts the SNI field, preventing attackers from determining which website a user is connecting to.
67. Why are SHA-1 certificates no longer considered secure for TLS?
A) They use outdated encryption algorithms
B) They are vulnerable to collision attacks
C) They do not support key exchange
D) They require manual renewal
β
Answer: B) They are vulnerable to collision attacks
π Explanation: SHA-1 is vulnerable to cryptographic collisions, allowing attackers to create fraudulent certificates.
68. What does the TLS Handshake Failure error indicate?
A) The SSL certificate is self-signed
B) The client and server could not agree on a cipher suite
C) The session has expired
D) The TLS version is too high
β
Answer: B) The client and server could not agree on a cipher suite
π Explanation: A TLS Handshake Failure occurs when the client and server fail to find a mutually supported cipher suite.
69. What does the Heartbleed vulnerability exploit?
A) A flaw in OpenSSLβs Heartbeat extension
B) A weakness in TLS 1.3
C) A compression side-channel attack
D) An issue in certificate validation
β
Answer: A) A flaw in OpenSSLβs Heartbeat extension
π Explanation: Heartbleed exploited a bug in OpenSSLβs Heartbeat extension, allowing attackers to read sensitive server memory.
70. Which of the following is a disadvantage of wildcard SSL certificates?
A) They are more expensive than regular certificates
B) If compromised, all subdomains are at risk
C) They do not support HTTPS
D) They expire more frequently than standard SSL certificates
β
Answer: B) If compromised, all subdomains are at risk
π Explanation: A compromised wildcard certificate affects all subdomains covered under it, making it a potential security risk.
71. What is the main purpose of TLS session tickets?
A) To store encryption keys permanently
B) To speed up resumed TLS connections
C) To encrypt TLS certificates
D) To verify OCSP responses
β
Answer: B) To speed up resumed TLS connections
π Explanation: Session tickets allow clients to resume a previous TLS session without performing a full handshake.
72. What is the function of OCSP Must-Staple in SSL/TLS?
A) It forces the browser to always check OCSP responses
B) It disables OCSP checking
C) It encrypts OCSP responses
D) It prevents SSL stripping attacks
β
Answer: A) It forces the browser to always check OCSP responses
π Explanation: OCSP Must-Staple ensures that clients receive real-time certificate revocation checks, improving security.
73. Why should expired SSL certificates be avoided?
A) They can no longer provide encryption
B) They trigger browser security warnings
C) They require manual renewal every month
D) They cause websites to run slower
β
Answer: B) They trigger browser security warnings
π Explanation: Expired SSL certificates cause browser security warnings, making a website appear untrustworthy.
74. What does TLS downgrade protection prevent?
A) Encryption keys from being leaked
B) Attackers from forcing clients to use older, insecure TLS versions
C) Users from accessing HTTP websites
D) The need for wildcard certificates
β
Answer: B) Attackers from forcing clients to use older, insecure TLS versions
π Explanation: TLS downgrade protection prevents attackers from forcing connections to insecure versions like TLS 1.0 or SSL 3.0.
75. Which attack exploits SSL/TLS session resumption to hijack a session?
A) BEAST
B) SSL Stripping
C) Session Fixation Attack
D) CRIME
β
Answer: C) Session Fixation Attack
π Explanation: Session Fixation forces a victim to use a known session ID, allowing an attacker to hijack the TLS session.
76. What is the purpose of Forward Secrecy in TLS?
A) To ensure past communications remain secure even if private keys are compromised
B) To speed up HTTPS connections
C) To prevent man-in-the-middle attacks
D) To enforce OCSP checking
β
Answer: A) To ensure past communications remain secure even if private keys are compromised
π Explanation: Forward Secrecy generates a new encryption key for each session, preventing old conversations from being decrypted.
77. What is a TLS downgrade attack also known as?
A) MITM attack
B) FREAK attack
C) Logjam attack
D) POODLE attack
β
Answer: D) POODLE attack
π Explanation: POODLE (Padding Oracle On Downgraded Legacy Encryption) forces servers to use insecure SSL 3.0 instead of TLS.
78. What is the main advantage of HTTP/2 over HTTP/1.1 in terms of SSL/TLS?
A) It enforces TLS encryption
B) It allows multiple requests over a single connection
C) It removes the need for SSL certificates
D) It does not require a handshake
β
Answer: B) It allows multiple requests over a single connection
π Explanation: HTTP/2 improves efficiency by multiplexing requests, reducing TLS handshake overhead.
79. Why is DNS over HTTPS (DoH) useful for SSL/TLS security?
A) It prevents DNS-based MITM attacks
B) It replaces TLS
C) It speeds up DNS queries
D) It prevents SQL injection
β
Answer: A) It prevents DNS-based MITM attacks
π Explanation: DoH encrypts DNS queries, preventing attackers from spoofing DNS responses.
80. What is the main purpose of Transport Layer Security (TLS)?
A) To encrypt and authenticate data in transit
B) To store passwords securely
C) To replace SSL certificates
D) To improve website load times
β
Answer: A) To encrypt and authenticate data in transit
π Explanation: TLS provides encryption, integrity, and authentication for secure communications over networks.
81. What is the main role of the Record Protocol in SSL/TLS?
A) Performing the handshake between client and server
B) Encrypting and ensuring integrity of transmitted data
C) Validating SSL/TLS certificates
D) Managing DNS resolution
β
Answer: B) Encrypting and ensuring integrity of transmitted data
π Explanation: The Record Protocol in SSL/TLS handles encryption, integrity verification, and fragmentation of application data.
82. What is the purpose of the ServerHello message in a TLS handshake?
A) It initiates a session key exchange
B) It verifies the clientβs certificate
C) It provides the selected cipher suite and TLS version
D) It encrypts the session
β
Answer: C) It provides the selected cipher suite and TLS version
π Explanation: ServerHello sends the chosen TLS version, cipher suite, and session ID back to the client.
83. Which TLS version introduced Zero Round Trip Time (0-RTT) mode?
A) TLS 1.0
B) TLS 1.2
C) TLS 1.3
D) SSL 3.0
β
Answer: C) TLS 1.3
π Explanation: TLS 1.3 introduced 0-RTT, allowing resumed sessions to send encrypted data immediately without a full handshake.
84. What type of attack does HTTP Public Key Pinning (HPKP) mitigate?
A) Man-in-the-middle attacks with fraudulent certificates
B) SQL Injection
C) Cross-Site Scripting (XSS)
D) Denial-of-Service (DoS)
β
Answer: A) Man-in-the-middle attacks with fraudulent certificates
π Explanation: HPKP ensures browsers only accept specific public keys, preventing attackers from using fraudulent certificates.
85. Why is SSL/TLS session caching useful?
A) It speeds up session resumption by reusing previous session keys
B) It eliminates the need for encryption
C) It prevents TLS downgrade attacks
D) It blocks MITM attacks
β
Answer: A) It speeds up session resumption by reusing previous session keys
π Explanation: Session caching allows clients to reuse session parameters, avoiding full handshakes and improving speed.
86. Which of the following is a valid TLS cipher suite?
A) RSA-MD5-SHA1
B) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
C) DES-RC4-MD5
D) SSL_AES_128_MD5
β
Answer: B) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
π Explanation: Modern TLS cipher suites use ECDHE, AES-GCM, and SHA-384 for strong encryption and authentication.
87. What does an OCSP Responder do in SSL/TLS?
A) It issues new SSL certificates
B) It checks the revocation status of certificates
C) It encrypts client requests
D) It generates session keys
β
Answer: B) It checks the revocation status of certificates
π Explanation: OCSP Responders verify if a certificate is revoked and provide real-time certificate status responses.
88. Which attack exploits weak ephemeral Diffie-Hellman key exchange?
A) Logjam
B) POODLE
C) CRIME
D) Heartbleed
β
Answer: A) Logjam
π Explanation: Logjam exploits weak Diffie-Hellman parameters, allowing attackers to break encryption.
89. What is the purpose of a digital signature in SSL/TLS?
A) Encrypting data
B) Ensuring data authenticity and integrity
C) Preventing SSL stripping
D) Speeding up TLS handshakes
β
Answer: B) Ensuring data authenticity and integrity
π Explanation: Digital signatures (e.g., RSA, ECDSA) confirm that messages are authentic and have not been tampered with.
90. What is the function of Diffie-Hellman (DH) in TLS?
A) Encrypting session data
B) Generating a shared secret key for symmetric encryption
C) Managing OCSP responses
D) Preventing session fixation attacks
β
Answer: B) Generating a shared secret key for symmetric encryption
π Explanation: DH and ECDHE key exchanges establish a shared secret used for symmetric encryption.
91. What does the TLS Alert message type βfatalβ indicate?
A) A minor issue in encryption settings
B) A critical error that terminates the TLS connection
C) A warning about an expired certificate
D) A request to upgrade TLS
β
Answer: B) A critical error that terminates the TLS connection
π Explanation: Fatal alerts force an immediate termination of the TLS session due to serious security issues.
92. Which component of TLS provides confidentiality?
A) Asymmetric key exchange
B) Symmetric encryption algorithms
C) Certificate Authorities
D) DNS over HTTPS
β
Answer: B) Symmetric encryption algorithms
π Explanation: TLS uses symmetric encryption (AES, ChaCha20) to ensure data confidentiality.
93. Why is SSL 2.0 considered insecure?
A) It uses SHA-512 for hashing
B) It lacks support for HTTP/2
C) It is vulnerable to man-in-the-middle attacks
D) It only supports wildcard certificates
β
Answer: C) It is vulnerable to man-in-the-middle attacks
π Explanation: SSL 2.0 is deprecated due to MITM vulnerabilities, weak cipher suites, and lack of proper authentication.
94. What is the function of TLS session tickets?
A) Encrypting certificates
B) Resuming previous TLS sessions without full handshake
C) Storing RSA private keys
D) Encrypting HTTP headers
β
Answer: B) Resuming previous TLS sessions without full handshake
π Explanation: Session tickets store session parameters to allow faster TLS handshakes.
95. Which cryptographic algorithm is used in modern TLS handshakes?
A) AES-256-CBC
B) SHA-512
C) ECDHE
D) RC4
β
Answer: C) ECDHE
π Explanation: Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) is widely used in TLS for secure key exchange.
96. Which TLS protocol mode ensures messages are correctly ordered?
A) Certificate Validation
B) Record Layer
C) Hashing Algorithm
D) Cipher Negotiation
β
Answer: B) Record Layer
π Explanation: The Record Layer maintains the correct order of messages using sequence numbers.
97. Which field in an SSL/TLS certificate contains the public key?
A) Subject Alternative Name
B) Common Name
C) X.509 Subject Public Key Info
D) Certificate Revocation List
β
Answer: C) X.509 Subject Public Key Info
π Explanation: X.509 certificates store the public key in the Subject Public Key Info field.
98. Why was TLS 1.1 deprecated?
A) It lacks support for Perfect Forward Secrecy
B) It does not support AES encryption
C) It uses weak key exchange methods
D) It does not support public key cryptography
β
Answer: A) It lacks support for Perfect Forward Secrecy
π Explanation: TLS 1.1 was deprecated because it lacks support for modern cryptographic techniques like PFS.
99. What type of certificates can be used for securing email communications with TLS?
A) EV Certificates
B) Wildcard Certificates
C) S/MIME Certificates
D) DNSSEC Certificates
β
Answer: C) S/MIME Certificates
π Explanation: S/MIME (Secure/Multipurpose Internet Mail Extensions) certificates encrypt and sign email communications.
100. What does TLS downgrade attack (also known as Fallback Attack) do?
A) Forces the use of a weaker TLS version
B) Upgrades TLS to the latest version
C) Replaces RSA with ECDSA
D) Encrypts session tickets
β
Answer: A) Forces the use of a weaker TLS version
π Explanation: TLS downgrade attacks trick servers into using outdated, insecure versions like SSL 3.0.
101. Which field in an SSL/TLS certificate helps browsers verify the certificateβs authenticity?
A) Subject Alternative Name (SAN)
B) Public Key
C) Issuerβs Digital Signature
D) Session Key
β
Answer: C) Issuerβs Digital Signature
π Explanation: The digital signature from a trusted CA verifies the authenticity of an SSL/TLS certificate.
102. What is a primary security benefit of TLS 1.3 over previous versions?
A) It eliminates weaker cryptographic algorithms
B) It increases handshake latency
C) It requires larger key sizes
D) It forces RSA for key exchange
β
Answer: A) It eliminates weaker cryptographic algorithms
π Explanation: TLS 1.3 removes outdated ciphers like RSA key exchange and CBC mode, improving security.
103. What is the purpose of Key Exchange in SSL/TLS?
A) To exchange symmetric session keys securely
B) To encrypt certificates
C) To verify the browserβs IP address
D) To establish a VPN connection
β
Answer: A) To exchange symmetric session keys securely
π Explanation: The key exchange process allows clients and servers to securely share session keys for encryption.
104. Why is AES-GCM preferred over AES-CBC in TLS encryption?
A) AES-GCM is faster and provides authenticated encryption
B) AES-GCM uses smaller keys
C) AES-CBC is more efficient for HTTPS
D) AES-GCM requires longer certificate validity
β
Answer: A) AES-GCM is faster and provides authenticated encryption
π Explanation: AES-GCM (Galois/Counter Mode) is more efficient, resistant to padding oracle attacks, and supports authentication.
105. What is the purpose of the Signature Algorithm field in an SSL/TLS certificate?
A) To specify the encryption method for data transmission
B) To verify certificate authenticity
C) To store session keys
D) To encrypt the clientβs IP address
β
Answer: B) To verify certificate authenticity
π Explanation: The Signature Algorithm field defines the cryptographic hash function used to sign the certificate, ensuring its validity.
106. Which attack involves injecting malicious data into an encrypted HTTPS session?
A) BEAST
B) SSL Stripping
C) Padding Oracle Attack
D) Downgrade Attack
β
Answer: C) Padding Oracle Attack
π Explanation: Padding Oracle Attacks exploit weaknesses in CBC-mode encryption to reveal encrypted data.
107. What role does the ServerHelloDone message play in the TLS handshake?
A) It terminates the connection
B) It signals that the server has completed its part of the handshake
C) It encrypts the session key
D) It forces the client to resend its certificate
β
Answer: B) It signals that the server has completed its part of the handshake
π Explanation: ServerHelloDone tells the client that the server has sent all necessary handshake information.
108. What does the Secure Renegotiation feature in TLS prevent?
A) Key reuse between sessions
B) Man-in-the-middle attacks exploiting session renegotiation
C) SSL stripping attacks
D) Certificate expiration errors
β
Answer: B) Man-in-the-middle attacks exploiting session renegotiation
π Explanation: Secure Renegotiation ensures that session renegotiations are not exploited by MITM attackers.
109. What is the purpose of the TLS Finished message?
A) To terminate the session
B) To confirm that all handshake messages were successfully received
C) To initiate key exchange
D) To upgrade the session to TLS 1.3
β
Answer: B) To confirm that all handshake messages were successfully received
π Explanation: The Finished message ensures the integrity of the handshake and confirms that no tampering occurred.
110. Which cipher is explicitly prohibited in TLS 1.3?
A) AES-GCM
B) RC4
C) ChaCha20
D) SHA-256
β
Answer: B) RC4
π Explanation: TLS 1.3 removes insecure ciphers, including RC4, due to its vulnerabilities to cryptographic attacks.
111. What is the primary function of the TLS Alert Protocol?
A) To notify about security issues or errors
B) To generate encryption keys
C) To speed up HTTPS connections
D) To issue new SSL certificates
β
Answer: A) To notify about security issues or errors
π Explanation: The Alert Protocol in TLS is used for warning messages and fatal error notifications.
112. Which type of encryption key is used in a TLS session for encrypting data after the handshake?
A) Asymmetric Public Key
B) Session Symmetric Key
C) Root CA Key
D) Server Private Key
β
Answer: B) Session Symmetric Key
π Explanation: After the handshake, TLS uses a symmetric key (e.g., AES) for faster data encryption.
113. What is a primary advantage of the TLS 1.3 handshake process?
A) It is faster and reduces latency
B) It allows weaker encryption methods
C) It removes certificate authentication
D) It eliminates the need for HTTPS
β
Answer: A) It is faster and reduces latency
π Explanation: TLS 1.3 simplifies the handshake, reducing round trips and improving performance.
114. What is a self-signed SSL certificate primarily used for?
A) Public website security
B) Internal testing and private networks
C) Online banking applications
D) Government-issued identity verification
β
Answer: B) Internal testing and private networks
π Explanation: Self-signed certificates are mainly used for private networks and internal testing, not public sites.
115. Why should TLS 1.0 and TLS 1.1 be disabled?
A) They are no longer supported by major browsers
B) They are the fastest TLS versions
C) They require manual key exchange
D) They do not support digital certificates
β
Answer: A) They are no longer supported by major browsers
π Explanation: TLS 1.0 and 1.1 are outdated and contain security vulnerabilities, leading browsers to deprecate them.
116. What is the impact of enabling HTTP Strict Transport Security (HSTS)?
A) It forces browsers to only connect over HTTPS
B) It encrypts all HTTP responses
C) It removes the need for SSL certificates
D) It prevents OCSP verification
β
Answer: A) It forces browsers to only connect over HTTPS
π Explanation: HSTS ensures that browsers always use HTTPS, preventing downgrade attacks.
117. What does an Extended Validation (EV) SSL certificate provide?
A) Stronger encryption
B) More detailed company validation
C) Free automatic renewals
D) Lifetime validity
β
Answer: B) More detailed company validation
π Explanation: EV SSL certificates require extensive business verification to enhance user trust.
118. What is the main risk of using a wildcard SSL certificate?
A) It cannot encrypt HTTPS traffic
B) If compromised, all subdomains are at risk
C) It only supports RSA encryption
D) It requires multiple renewals per year
β
Answer: B) If compromised, all subdomains are at risk
π Explanation: A wildcard SSL certificate secures all subdomains, so a single compromise affects the entire domain.
119. What type of SSL/TLS certificate is needed for multiple domains?
A) Wildcard Certificate
B) Multi-Domain (SAN) Certificate
C) Extended Validation (EV) Certificate
D) Self-Signed Certificate
β
Answer: B) Multi-Domain (SAN) Certificate
π Explanation: Multi-Domain (SAN) Certificates allow a single certificate to cover multiple domains.
120. Why is Perfect Forward Secrecy (PFS) recommended in TLS?
A) It prevents attackers from decrypting past communications
B) It speeds up HTTPS connections
C) It removes the need for SSL certificates
D) It enforces static key exchange
β
Answer: A) It prevents attackers from decrypting past communications
π Explanation: PFS generates unique session keys per session, ensuring past encrypted data remains secure even if private keys are compromised.
121. What is the primary function of the Cipher Suite in SSL/TLS?
A) To define the encryption and hashing algorithms used in a secure session
B) To generate SSL certificates
C) To store user authentication details
D) To speed up HTTP requests
β
Answer: A) To define the encryption and hashing algorithms used in a secure session
π Explanation: A Cipher Suite is a set of cryptographic algorithms used in SSL/TLS for encryption, key exchange, authentication, and integrity.
122. Why is the Server Name Indication (SNI) extension used in TLS?
A) To allow multiple SSL certificates on a single IP address
B) To prevent session hijacking
C) To encrypt DNS requests
D) To verify a serverβs identity
β
Answer: A) To allow multiple SSL certificates on a single IP address
π Explanation: SNI allows different domains to use unique SSL/TLS certificates while sharing the same IP address.
123. What does “TLS_FALLBACK_SCSV” do in TLS security?
A) Prevents forced downgrade attacks
B) Forces TLS 1.0 to be used
C) Encrypts all SSL certificates
D) Replaces OCSP validation
β
Answer: A) Prevents forced downgrade attacks
π Explanation: TLS_FALLBACK_SCSV (Signaling Cipher Suite Value) prevents downgrade attacks by blocking connections that attempt to use weaker TLS versions.
124. What is the primary purpose of Certificate Transparency (CT) logs?
A) To detect fraudulent or misissued SSL/TLS certificates
B) To encrypt the certificate chain
C) To store TLS session keys
D) To replace OCSP responses
β
Answer: A) To detect fraudulent or misissued SSL/TLS certificates
π Explanation: Certificate Transparency logs track issued certificates, helping detect fraudulent or improperly issued certificates.
125. Which TLS feature helps in preventing Man-in-the-Middle (MITM) attacks?
A) Certificate validation
B) TLS compression
C) Session fixation
D) Disabling HSTS
β
Answer: A) Certificate validation
π Explanation: Certificate validation ensures that the websiteβs certificate is signed by a trusted CA, preventing MITM attacks.
126. What happens when a client and server cannot agree on a cipher suite during the TLS handshake?
A) The connection is established using the most secure cipher
B) The handshake fails, and the connection is not established
C) The client generates a new cipher suite list
D) The server downgrades the connection to SSL
β
Answer: B) The handshake fails, and the connection is not established
π Explanation: If no common cipher suite is found, the TLS handshake fails, preventing insecure communication.
127. What is the function of the TLS Heartbeat extension?
A) To maintain an open TLS session without renegotiation
B) To encrypt session keys
C) To validate expired certificates
D) To perform TLS version negotiation
β
Answer: A) To maintain an open TLS session without renegotiation
π Explanation: TLS Heartbeat keeps a connection alive by sending periodic messages, preventing unnecessary renegotiation.
128. What attack exploited a vulnerability in the TLS Heartbeat extension?
A) Heartbleed
B) POODLE
C) Logjam
D) BEAST
β
Answer: A) Heartbleed
π Explanation: Heartbleed exploited a flaw in OpenSSLβs Heartbeat extension, allowing attackers to read sensitive data from memory.
129. Which encryption mode is commonly used in TLS for authenticated encryption?
A) AES-CBC
B) AES-GCM
C) RSA-OAEP
D) RC4
β
Answer: B) AES-GCM
π Explanation: AES-GCM (Galois/Counter Mode) is widely used in TLS due to its efficiency and authenticated encryption capability.
130. Why is SSL 3.0 considered insecure?
A) It uses 2048-bit encryption
B) It is vulnerable to the POODLE attack
C) It does not support HTTPS
D) It cannot encrypt web traffic
β
Answer: B) It is vulnerable to the POODLE attack
π Explanation: SSL 3.0 is deprecated due to vulnerabilities like POODLE, which allow attackers to decrypt secure communications.
131. What is the role of OCSP Stapling in TLS?
A) It allows servers to provide real-time certificate revocation status
B) It encrypts session keys
C) It replaces TLS handshake messages
D) It prevents brute-force attacks
β
Answer: A) It allows servers to provide real-time certificate revocation status
π Explanation: OCSP Stapling allows servers to send OCSP responses directly, reducing overhead and improving efficiency.
132. Which component of TLS ensures data integrity?
A) AES encryption
B) Message Authentication Code (MAC)
C) Public key encryption
D) DNSSEC
β
Answer: B) Message Authentication Code (MAC)
π Explanation: MAC algorithms (like HMAC) verify that messages have not been altered in transit, ensuring integrity.
133. Why should weak cipher suites (e.g., RC4) be disabled in TLS?
A) They are computationally expensive
B) They have known vulnerabilities
C) They require certificate pinning
D) They prevent session resumption
β
Answer: B) They have known vulnerabilities
π Explanation: Weak cipher suites (like RC4) are vulnerable to cryptanalysis and should be disabled to maintain secure TLS connections.
134. What does the TLS Change Cipher Spec message do?
A) It indicates that subsequent messages will be encrypted
B) It initiates certificate revocation
C) It performs an SSL downgrade attack
D) It generates a new public key
β
Answer: A) It indicates that subsequent messages will be encrypted
π Explanation: The Change Cipher Spec message signals that the client and server will now use encryption for further communication.
135. What is the main reason TLS 1.3 removed RSA key exchange?
A) RSA is no longer secure
B) It does not support Perfect Forward Secrecy
C) It requires longer certificate validity
D) It does not work with HSTS
β
Answer: B) It does not support Perfect Forward Secrecy
π Explanation: TLS 1.3 removed RSA key exchange because it lacks Perfect Forward Secrecy, making past communications vulnerable if private keys are compromised.
136. What type of encryption is used to protect data in transit with TLS?
A) Symmetric encryption
B) Asymmetric encryption
C) Hashing only
D) Digital signatures
β
Answer: A) Symmetric encryption
π Explanation: After the handshake, TLS uses symmetric encryption (AES, ChaCha20) to efficiently encrypt data in transit.
137. What is a major benefit of enabling HTTP/3 over TLS?
A) It reduces handshake time using QUIC
B) It does not require SSL certificates
C) It forces all connections to use RSA encryption
D) It prevents TLS version negotiation
β
Answer: A) It reduces handshake time using QUIC
π Explanation: HTTP/3 uses QUIC, which eliminates TCPβs handshake delay, improving TLS connection speed.
138. What does “Mutual TLS (mTLS)” provide that standard TLS does not?
A) Authentication of both client and server
B) Faster encryption
C) Automatic SSL certificate renewal
D) Downgrade protection
β
Answer: A) Authentication of both client and server
π Explanation: mTLS requires both the client and server to present valid TLS certificates, ensuring mutual authentication.
139. What is the risk of using expired SSL/TLS certificates?
A) Browsers will show security warnings
B) Websites become vulnerable to MITM attacks
C) The certificate chain will be considered invalid
D) All of the above
β
Answer: D) All of the above
π Explanation: Expired certificates lead to browser warnings, invalid trust chains, and increased security risks.
140. What does the TLS Renegotiation Attack exploit?
A) Weaknesses in session renegotiation
B) Downgrade attacks on SSL
C) The removal of RC4 encryption
D) Certificate expiration policies
β
Answer: A) Weaknesses in session renegotiation
π Explanation: TLS Renegotiation Attacks exploit vulnerabilities in renegotiation, allowing session hijacking.
141. What is the purpose of the Pre-Master Secret in TLS?
A) It is used to derive the session key for encryption
B) It is the public key used in certificate authentication
C) It is used for certificate revocation
D) It is a static key used in all sessions
β
Answer: A) It is used to derive the session key for encryption
π Explanation: The Pre-Master Secret is exchanged during the TLS handshake and is used to generate the session key for encrypting data.
142. What does TLS False Start aim to achieve?
A) Reducing handshake latency by allowing early encrypted data transmission
B) Increasing encryption strength with larger keys
C) Eliminating the need for a Certificate Authority
D) Preventing downgrade attacks
β
Answer: A) Reducing handshake latency by allowing early encrypted data transmission
π Explanation: TLS False Start improves performance by allowing encrypted data to be sent before the handshake is fully completed.
143. What is the key difference between RSA and ECDSA in SSL/TLS?
A) ECDSA requires larger key sizes than RSA
B) ECDSA provides the same security with smaller key sizes than RSA
C) RSA does not support Perfect Forward Secrecy
D) RSA is faster than ECDSA
β
Answer: B) ECDSA provides the same security with smaller key sizes than RSA
π Explanation: Elliptic Curve Digital Signature Algorithm (ECDSA) provides equivalent security to RSA but with much smaller key sizes, improving performance.
144. What is the main purpose of TLS resumption techniques (session IDs and session tickets)?
A) To speed up repeated TLS handshakes
B) To generate new SSL certificates automatically
C) To prevent man-in-the-middle attacks
D) To encrypt session cookies
β
Answer: A) To speed up repeated TLS handshakes
π Explanation: TLS session resumption techniques reduce handshake overhead, improving connection speed.
145. What type of certificate is required for securing both example.com and sub.example.com?
A) Multi-Domain (SAN) Certificate
B) Wildcard Certificate
C) Extended Validation (EV) Certificate
D) Self-Signed Certificate
β
Answer: B) Wildcard Certificate
π Explanation: Wildcard certificates (e.g., *.example.com) secure the main domain and all its subdomains.
146. What vulnerability led to the deprecation of SSL 3.0?
A) POODLE
B) Heartbleed
C) BEAST
D) CRIME
β
Answer: A) POODLE
π Explanation: The POODLE attack exploited SSL 3.0βs use of CBC mode, allowing attackers to decrypt sensitive data.
147. What does the term “TLS downgrade attack” refer to?
A) Forcing a connection to use an older, insecure TLS version
B) Encrypting data with longer keys
C) Upgrading an SSL connection to TLS 1.3
D) Bypassing certificate validation
β
Answer: A) Forcing a connection to use an older, insecure TLS version
π Explanation: Downgrade attacks force the use of older TLS versions, making connections vulnerable to known exploits.
148. What is the purpose of a Public Key Infrastructure (PKI) in TLS?
A) To manage the issuance and validation of digital certificates
B) To encrypt web traffic
C) To store user passwords
D) To replace HTTPS with HTTP
β
Answer: A) To manage the issuance and validation of digital certificates
π Explanation: PKI is responsible for managing SSL/TLS certificates, ensuring authentication and encryption.
149. Why is TLS 1.3 considered more secure than TLS 1.2?
A) It eliminates weaker cryptographic algorithms and reduces handshake complexity
B) It forces the use of RSA encryption
C) It requires manual key exchange
D) It disables certificate validation
β
Answer: A) It eliminates weaker cryptographic algorithms and reduces handshake complexity
π Explanation: TLS 1.3 removes weak ciphers and simplifies handshakes, improving security and performance.
150. What does HTTPS enforce over HTTP?
A) Encryption and authentication
B) Faster page loads
C) Better search engine ranking
D) DNS resolution
β
Answer: A) Encryption and authentication
π Explanation: HTTPS ensures that all data transmitted between the client and server is encrypted and authenticated using SSL/TLS.
151. What does a self-signed certificate lack compared to a CA-issued certificate?
A) Trust from browsers and operating systems
B) Encryption capability
C) Key exchange functionality
D) Session expiration
β
Answer: A) Trust from browsers and operating systems
π Explanation: Self-signed certificates are not verified by a trusted Certificate Authority (CA), leading to security warnings in browsers.
152. Which component in TLS helps ensure Perfect Forward Secrecy (PFS)?
A) Ephemeral Diffie-Hellman (DHE/ECDHE)
B) RSA key exchange
C) Static session keys
D) Message Authentication Codes (MACs)
β
Answer: A) Ephemeral Diffie-Hellman (DHE/ECDHE)
π Explanation: PFS requires ephemeral key exchanges like DHE and ECDHE to ensure each session has unique encryption keys.
153. Which TLS extension allows multiple domain names to be secured under one certificate?
A) Subject Alternative Name (SAN)
B) Server Name Indication (SNI)
C) Certificate Transparency (CT)
D) OCSP Stapling
β
Answer: A) Subject Alternative Name (SAN)
π Explanation: SAN certificates allow a single certificate to secure multiple domain names.
154. What is the key risk of using TLS compression?
A) It enables the CRIME attack
B) It slows down HTTPS performance
C) It prevents certificate revocation
D) It requires larger encryption keys
β
Answer: A) It enables the CRIME attack
π Explanation: TLS compression is vulnerable to CRIME (Compression Ratio Info-leak Made Easy) attacks, which allow attackers to infer sensitive data.
155. Why is mutual TLS (mTLS) more secure than standard TLS?
A) It requires authentication from both client and server
B) It prevents HTTPS downgrades
C) It uses larger encryption keys
D) It forces only government-approved certificates
β
Answer: A) It requires authentication from both client and server
π Explanation: mTLS enhances security by requiring both the client and server to authenticate each other using certificates.
156. What does the TLS Finished message confirm?
A) That the handshake was successfully completed
B) That encryption has been disabled
C) That a session key is permanently stored
D) That the server’s IP address has changed
β
Answer: A) That the handshake was successfully completed
π Explanation: The Finished message ensures that the handshake was successful and that no tampering has occurred.
157. What happens if an SSL certificate is revoked?
A) Browsers will block access and show a warning
B) The certificate becomes valid again after 24 hours
C) The website remains secure
D) The certificate regenerates automatically
β
Answer: A) Browsers will block access and show a warning
π Explanation: Revoked certificates are flagged as untrusted, leading to browser security warnings.
158. What is a critical weakness of RSA key exchange?
A) It does not support Forward Secrecy
B) It is faster than ECDHE
C) It only works on Windows servers
D) It cannot encrypt large data
β
Answer: A) It does not support Forward Secrecy
π Explanation: RSA key exchange uses a static private key, making it vulnerable to retrospective decryption if compromised.
159. What is the benefit of using a certificate issued by a trusted CA?
A) It is automatically trusted by browsers
B) It encrypts data faster than a self-signed certificate
C) It prevents all cyber attacks
D) It never expires
β
Answer: A) It is automatically trusted by browsers
π Explanation: CA-issued certificates are verified and trusted by browsers, unlike self-signed certificates.
160. Why should TLS 1.0 and TLS 1.1 be disabled?
A) They are vulnerable to modern cryptographic attacks
B) They do not support HTTPS
C) They are required for older websites
D) They encrypt data more slowly
β
Answer: A) They are vulnerable to modern cryptographic attacks
π Explanation: TLS 1.0 and 1.1 have known security flaws and should be disabled in favor of TLS 1.2 or 1.3.
161. Which type of SSL/TLS certificate is specifically designed for encrypting emails?
A) Extended Validation (EV) Certificate
B) Wildcard Certificate
C) S/MIME Certificate
D) DNSSEC Certificate
β
Answer: C) S/MIME Certificate
π Explanation: Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates encrypt and sign email communications, ensuring confidentiality and authenticity.
162. What is the purpose of an Intermediate Certificate Authority (CA)?
A) To sign and issue certificates on behalf of the Root CA
B) To validate TLS handshakes
C) To encrypt HTTPS traffic
D) To store private keys of all certificates
β
Answer: A) To sign and issue certificates on behalf of the Root CA
π Explanation: Intermediate CAs act as a bridge between the Root CA and end-user certificates, reducing security risks if compromised.
163. Which of the following is NOT a valid hashing algorithm used in TLS?
A) SHA-256
B) MD5
C) SHA-1
D) RC4
β
Answer: D) RC4
π Explanation: RC4 is a stream cipher, not a hashing algorithm. TLS uses hash functions like SHA-256 and SHA-1 (deprecated).
164. How does a Certificate Revocation List (CRL) function?
A) It contains a list of revoked certificates
B) It generates new session keys
C) It encrypts SSL certificates
D) It verifies TLS session tickets
β
Answer: A) It contains a list of revoked certificates
π Explanation: CRLs are issued by Certificate Authorities (CAs) to list invalid or compromised SSL/TLS certificates.
165. What is the main advantage of OCSP over CRL?
A) Faster real-time certificate revocation status checks
B) Better encryption strength
C) More secure hashing algorithms
D) Longer certificate validity
β
Answer: A) Faster real-time certificate revocation status checks
π Explanation: Online Certificate Status Protocol (OCSP) provides real-time verification, whereas CRLs require frequent downloads.
166. What does a wildcard SSL certificate secure?
A) A single domain
B) Multiple unrelated domains
C) A domain and all of its subdomains
D) Only internal network communications
β
Answer: C) A domain and all of its subdomains
π Explanation: Wildcard certificates (e.g., *.example.com) secure the main domain and all subdomains under it.
167. What is a potential downside of wildcard certificates?
A) They are not compatible with TLS 1.3
B) If compromised, all subdomains become vulnerable
C) They do not support encryption
D) They cannot be renewed
β
Answer: B) If compromised, all subdomains become vulnerable
π Explanation: Since a wildcard certificate secures multiple subdomains, a breach compromises the entire domain.
168. What does HTTPS enforce that HTTP does not?
A) Encryption and authentication
B) Lower latency
C) Faster DNS resolution
D) Automatic certificate updates
β
Answer: A) Encryption and authentication
π Explanation: HTTPS encrypts data using SSL/TLS and authenticates the server, ensuring secure communication.
169. Which TLS feature ensures that if a private key is compromised, past communications remain secure?
A) Forward Secrecy
B) Session Resumption
C) TLS False Start
D) Certificate Pinning
β
Answer: A) Forward Secrecy
π Explanation: Forward Secrecy (PFS) ensures that each session uses unique keys, preventing retroactive decryption if private keys are compromised.
170. Why is it important to disable weak ciphers in a TLS configuration?
A) To improve connection speed
B) To prevent attackers from exploiting known vulnerabilities
C) To reduce SSL certificate costs
D) To avoid requiring a Certificate Authority
β
Answer: B) To prevent attackers from exploiting known vulnerabilities
π Explanation: Weak ciphers like RC4 and DES should be disabled to prevent cryptographic attacks.
171. What is the main advantage of ECDHE over traditional Diffie-Hellman key exchange?
A) ECDHE is faster and provides the same security with smaller keys
B) ECDHE does not require certificates
C) ECDHE does not support Forward Secrecy
D) ECDHE is only used for TLS 1.1
β
Answer: A) ECDHE is faster and provides the same security with smaller keys
π Explanation: Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) achieves strong security with smaller key sizes and supports Forward Secrecy.
172. What does the TLS Renegotiation Indication Extension prevent?
A) Downgrade attacks
B) Man-in-the-middle (MITM) attacks during renegotiation
C) Certificate expiration errors
D) Encrypted DNS spoofing
β
Answer: B) Man-in-the-middle (MITM) attacks during renegotiation
π Explanation: This extension prevents attackers from exploiting renegotiation weaknesses to inject malicious content.
173. Which of the following is a requirement for HTTP/2 over TLS?
A) TLS 1.2 or later
B) SSL 3.0 support
C) AES-CBC cipher
D) Self-signed certificates
β
Answer: A) TLS 1.2 or later
π Explanation: HTTP/2 requires at least TLS 1.2 for security and performance reasons.
174. What is the primary function of Encrypted Client Hello (ECH) in TLS?
A) To encrypt the SNI (Server Name Indication) field
B) To store SSL certificates
C) To improve session resumption speed
D) To enforce strict OCSP checks
β
Answer: A) To encrypt the SNI (Server Name Indication) field
π Explanation: ECH encrypts the Client Hello message, preventing eavesdroppers from identifying which website is being accessed.
175. Which TLS extension is commonly used to verify that a certificate is still valid without requiring the client to contact the CA?
A) OCSP Stapling
B) Certificate Transparency
C) DNSSEC
D) Cipher Suite Negotiation
β
Answer: A) OCSP Stapling
π Explanation: OCSP Stapling allows servers to provide real-time certificate status updates, reducing the need for direct CA checks.
176. What happens when an SSL certificate expires?
A) The website is marked as “Not Secure” in browsers
B) The certificate automatically renews
C) The TLS handshake still works, but encryption is weaker
D) The certificate gains an additional 30-day grace period
β
Answer: A) The website is marked as “Not Secure” in browsers
π Explanation: Expired SSL certificates trigger browser security warnings, making websites appear untrustworthy.
177. What type of SSL/TLS certificate is needed for multiple unrelated domains?
A) Wildcard Certificate
B) Multi-Domain (SAN) Certificate
C) Extended Validation (EV) Certificate
D) Organization Validated (OV) Certificate
β
Answer: B) Multi-Domain (SAN) Certificate
π Explanation: SAN (Subject Alternative Name) certificates allow one certificate to secure multiple distinct domains.
178. Which TLS feature allows servers to specify a list of preferred cipher suites?
A) Cipher Suite Order Enforcement
B) OCSP Must-Staple
C) HSTS Preloading
D) TLS Session Resumption
β
Answer: A) Cipher Suite Order Enforcement
π Explanation: Cipher Suite Order Enforcement lets servers prioritize more secure encryption algorithms.
179. What is the purpose of TLS session tickets?
A) To resume TLS sessions without a full handshake
B) To encrypt certificates
C) To generate OCSP responses
D) To enforce strict transport security
β
Answer: A) To resume TLS sessions without a full handshake
π Explanation: TLS session tickets store session parameters, enabling faster reconnections without redoing the handshake.
180. Why should SHA-1 certificates no longer be used?
A) They are vulnerable to collision attacks
B) They are too slow
C) They are not supported by TLS 1.3
D) They require more CPU resources
β
Answer: A) They are vulnerable to collision attacks
π Explanation: SHA-1 is weak against cryptographic collision attacks, making it insecure for digital certificates.
181. What is the main function of the TLS Record Layer?
A) Managing certificate validation
B) Encrypting and securing data transmission
C) Handling cipher suite negotiation
D) Performing DNS resolution
β
Answer: B) Encrypting and securing data transmission
π Explanation: The TLS Record Layer is responsible for encrypting and transmitting data securely between the client and server.
182. What is the primary difference between TLS 1.2 and TLS 1.3 in terms of handshake?
A) TLS 1.3 requires multiple round trips for key exchange
B) TLS 1.3 reduces the number of handshake messages
C) TLS 1.3 removes session resumption
D) TLS 1.3 requires longer key sizes
β
Answer: B) TLS 1.3 reduces the number of handshake messages
π Explanation: TLS 1.3 simplifies the handshake by reducing round trips, improving speed and security.
183. What happens if a website’s SSL/TLS certificate is self-signed?
A) The website is automatically trusted
B) The browser displays a warning about an untrusted certificate
C) The certificate is valid for only 30 days
D) The website loads without HTTPS
β
Answer: B) The browser displays a warning about an untrusted certificate
π Explanation: Self-signed certificates are not issued by a trusted CA, causing browsers to warn users about potential security risks.
184. Which encryption algorithm is commonly used in TLS 1.3?
A) RSA key exchange
B) AES-GCM
C) DES
D) MD5
β
Answer: B) AES-GCM
π Explanation: AES-GCM (Advanced Encryption Standard – Galois/Counter Mode) is widely used in TLS 1.3 for authenticated encryption.
185. What is a major disadvantage of using RC4 encryption in TLS?
A) It is extremely slow
B) It is vulnerable to cryptographic attacks
C) It requires an external certificate
D) It cannot be used in HTTPS
β
Answer: B) It is vulnerable to cryptographic attacks
π Explanation: RC4 is weak and susceptible to multiple attacks, leading to its deprecation in TLS.
186. What does a browser check when validating an SSL/TLS certificate?
A) Certificate expiration, CA validity, and revocation status
B) Server response time
C) JavaScript compatibility
D) User login credentials
β
Answer: A) Certificate expiration, CA validity, and revocation status
π Explanation: Browsers verify that the certificate is issued by a trusted CA, not expired, and not revoked.
187. What attack does SSL Stripping exploit?
A) Downgrading HTTPS connections to HTTP
B) Using expired certificates
C) Brute-force attacks on session keys
D) DNS poisoning
β
Answer: A) Downgrading HTTPS connections to HTTP
π Explanation: SSL Stripping forces a userβs connection from HTTPS to HTTP, exposing sensitive data to attackers.
188. What is the primary role of the Message Authentication Code (MAC) in TLS?
A) Encrypting data
B) Ensuring data integrity
C) Generating certificates
D) Performing key exchange
β
Answer: B) Ensuring data integrity
π Explanation: MAC verifies that transmitted data has not been altered, ensuring integrity in TLS communication.
189. What security risk does TLS session resumption introduce if not properly implemented?
A) Session hijacking
B) Certificate forgery
C) DNS spoofing
D) Server overload
β
Answer: A) Session hijacking
π Explanation: If session resumption is improperly secured, attackers may reuse session IDs to hijack encrypted connections.
190. What is the function of a Root Certificate Authority (Root CA)?
A) Issuing digital certificates to end-users directly
B) Issuing certificates to intermediate CAs
C) Storing encryption keys for websites
D) Enforcing HTTPS on all browsers
β
Answer: B) Issuing certificates to intermediate CAs
π Explanation: Root CAs issue certificates to intermediate CAs, which then issue end-user certificates, creating a Chain of Trust.
191. What is the impact of a compromised private key in a TLS certificate?
A) Attackers can decrypt past and future encrypted sessions
B) The certificate is automatically revoked
C) The CA immediately replaces the certificate
D) The website runs slower
β
Answer: A) Attackers can decrypt past and future encrypted sessions
π Explanation: If a private key is compromised and Forward Secrecy is not enabled, attackers can decrypt encrypted communications.
192. Which TLS extension ensures secure communication even in case of a downgrade attack attempt?
A) TLS_FALLBACK_SCSV
B) OCSP Stapling
C) Forward Secrecy
D) Server Name Indication (SNI)
β
Answer: A) TLS_FALLBACK_SCSV
π Explanation: TLS_FALLBACK_SCSV prevents clients from being forced to use older, weaker TLS versions.
193. What is the primary benefit of HTTP Strict Transport Security (HSTS)?
A) It forces browsers to always use HTTPS
B) It provides encryption for email traffic
C) It speeds up website load times
D) It replaces SSL/TLS certificates
β
Answer: A) It forces browsers to always use HTTPS
π Explanation: HSTS ensures that users always connect via HTTPS, preventing SSL Stripping attacks.
194. What is the risk of using expired SSL/TLS certificates?
A) Users will see a browser security warning
B) HTTPS will still function, but encryption will be weaker
C) The certificate automatically renews itself
D) The website will load faster
β
Answer: A) Users will see a browser security warning
π Explanation: Expired SSL/TLS certificates trigger browser security warnings and may cause users to avoid the website.
195. Which component of TLS ensures authentication?
A) Public key cryptography
B) Symmetric encryption
C) Cipher block chaining
D) Message padding
β
Answer: A) Public key cryptography
π Explanation: TLS authentication is based on public key cryptography, allowing clients to verify the serverβs identity.
196. What is the primary reason for using Perfect Forward Secrecy (PFS)?
A) It prevents the decryption of past communications if a key is compromised
B) It speeds up HTTPS connections
C) It eliminates the need for SSL certificates
D) It requires shorter key lengths
β
Answer: A) It prevents the decryption of past communications if a key is compromised
π Explanation: PFS ensures that even if an attacker gains access to a private key, they cannot decrypt past communications.
197. Why was TLS 1.0 deprecated?
A) It is vulnerable to modern cryptographic attacks
B) It does not support HTTPS
C) It was replaced by SSL 3.0
D) It uses 4096-bit encryption
β
Answer: A) It is vulnerable to modern cryptographic attacks
π Explanation: TLS 1.0 has known vulnerabilities and lacks modern security features, making it insecure.
198. What does the TLS session key do?
A) Encrypts data during a session
B) Authenticates a serverβs identity
C) Stores the user’s password
D) Generates SSL certificates
β
Answer: A) Encrypts data during a session
π Explanation: The TLS session key is a symmetric key used to encrypt data during an active session.
199. Why is OCSP Stapling preferred over traditional OCSP?
A) It reduces the load on certificate authorities (CAs)
B) It prevents phishing attacks
C) It allows the use of expired certificates
D) It speeds up the SSL handshake
β
Answer: A) It reduces the load on certificate authorities (CAs)
π Explanation: OCSP Stapling allows the server to provide revocation status, reducing CA verification requests.
200. Why should TLS compression be disabled?
A) It introduces the risk of CRIME attacks
B) It slows down encryption
C) It prevents session resumption
D) It is only used in TLS 1.3
β
Answer: A) It introduces the risk of CRIME attacks
π Explanation: TLS compression can leak sensitive data through compression-based attacks like CRIME.