Chapter 92 · Flashcards

Secure Protocols — Flashcards

Ten cards covering insecure-to-secure protocol replacements and their ports, the port-number-not-guarantee rule, packet capture verification, open Wi-Fi risks, WPA3 per-session encryption, VPN tunnel architecture, and when to use VPN versus WPA3. Click any card to flip it.

What are the four most commonly tested insecure protocols and their port numbers?

Telnet / 23 — remote terminal access, transmits all keystrokes in plaintext. FTP / 21 — file transfer, credentials and data unencrypted. HTTP / 80 — web browsing, page content and cookies exposed. IMAP / 143 — email retrieval, inbox content and credentials visible on the wire. All four have encrypted replacements; none should be used over untrusted networks.

What secure protocol replaces Telnet, and what additional capabilities does it provide beyond encrypted remote access?

SSH (Secure Shell) / port 22 replaces Telnet. Beyond encrypted terminal sessions, SSH also provides: SFTP — secure file transfer (replaces FTP over the same SSH session). SCP — secure file copy. Port forwarding / tunneling — wrapping other protocols inside an encrypted SSH session. A single SSH installation replaces the functionality of both Telnet and FTP.

What are the secure email protocol replacements and their port numbers?

IMAPS (IMAP Secure) / 993 — replaces IMAP/143 for encrypted email retrieval. POP3S (POP3 Secure) / 995 — replaces POP3/110 for encrypted email retrieval. SMTPS (SMTP Secure) / 465 or 587 — replaces SMTP/25 for encrypted email sending. The “S” suffix on the protocol name and the port number change are the exam triggers for “this version is encrypted.”

Why does a port number alone not guarantee that a connection is encrypted?

Port numbers are assignments, not enforcement. Any application can run any protocol on any port — an administrator can configure a web server to serve unencrypted HTTP on port 443 or configure SSH to listen on port 80. The port number only identifies the intended service. To confirm encryption, capture traffic with Wireshark and inspect the packet payload. If you can read plaintext credentials or page content, the connection is unencrypted regardless of what port it uses.

What tool is used to verify whether a protocol connection is actually encrypted, and what do you look for?

Wireshark (packet analyzer / protocol analyzer). Capture traffic on the interface where the connection flows. If the connection is encrypted, the payload will appear as binary ciphertext — unreadable. If the connection is unencrypted, you will see readable ASCII text: usernames, passwords, email content, web page HTML. This is the definitive verification method — port numbers and protocol names can be misleading, but captured plaintext is conclusive.

What is the Wall of Sheep, and what security principle does it demonstrate?

The Wall of Sheep is a display at the DEF CON security conference showing live credential captures from conference attendees using insecure protocols over the shared network. Usernames, partial passwords, and email addresses appear on screen in real time. It demonstrates that passive network interception requires no active attack — any device on the same network can capture unencrypted traffic. Using Telnet, FTP, HTTP, or IMAP on an untrusted network exposes credentials to any observer on the wire.

What is an open access point, and why is connecting to one dangerous even if you are not sending login credentials?

An open access point requires no password to join. All traffic between connected devices and the AP is transmitted in cleartext with no wireless-layer encryption. Any other device on the same AP can run a packet capture and read all unencrypted traffic. The risk extends beyond passwords: session cookies, email content, API tokens, DNS queries, and metadata are all visible. Even “just browsing” exposes which sites you visit, and any unencrypted HTTP session exposes full page content and authentication cookies.

What does WPA3 provide that earlier Wi-Fi security did not, and what is the scope of its protection?

WPA3 encrypts each device’s traffic with a unique per-session key. Even if multiple devices share the same Wi-Fi password, each session uses different cryptographic keys, so one device cannot decrypt another device’s traffic. Scope limitation: WPA3 protects only the wireless link — from the device to the access point. Once traffic enters the wired network, WPA3 provides no protection. An attacker with access to the wired infrastructure beyond the AP can still intercept unencrypted traffic.

What is a VPN, how does it create an encrypted tunnel, and what traffic does it protect?

A VPN (Virtual Private Network) establishes an encrypted tunnel from the user’s device to a VPN concentrator (server). All network traffic from the device is encapsulated and encrypted before leaving the device; it is only decrypted at the concentrator. This protects all applications simultaneously — including legacy protocols like Telnet or FTP that have no built-in encryption. The VPN adds transport-level encryption as a wrapper; the applications themselves do not need modification. This is the solution when replacing insecure applications is not feasible.

When should you choose WPA3 vs. VPN to protect wireless traffic?

WPA3: use when the threat is other wireless devices on the same AP intercepting your traffic. Protects the wireless hop only. Requires a WPA3-capable AP and client device. VPN: use when the threat extends beyond the wireless link — untrusted wired networks, ISPs, or when you need to protect legacy applications that send data in plaintext. VPN protects the entire path from device to concentrator. Best practice: deploy both — WPA3 for the wireless segment, VPN for end-to-end protection of all applications.