Chapter 92 · Tricks

Secure Protocols — Exam Tricks

Four high-yield patterns and three practice scenarios: why port numbers are not encryption guarantees, how VPN covers all applications simultaneously, the boundary of WPA3 protection, and the insecure-to-secure protocol substitution map that the exam recycles in every domain.

Trick 1 Port Number ≠ Encryption — Only Packet Capture Confirms

The exam’s most common secure-protocols trap is using a port number to conclude that a connection is encrypted. This is wrong. Port numbers are routing assignments, not security guarantees. The exam exploits this in two directions:

  • Port 443 does not mean HTTPS. An administrator could configure an HTTP server to listen on 443. Without inspection, you cannot tell from the port alone.
  • Port 80 does not mean unencrypted. Tunneled traffic or a misconfigured encrypted service could use port 80.

The only reliable verification method is Wireshark packet capture. If the payload shows readable ASCII text (usernames, passwords, HTML), the connection is unencrypted. If the payload is binary ciphertext, encryption is in use.

Exam trigger phrases:

  • “Verify whether a connection is actually encrypted” → Wireshark / packet capture
  • “The connection uses port 443 — is it secure?” → Cannot confirm without packet inspection
  • “How can you confirm credentials are not being transmitted in cleartext?” → Capture and inspect the payload
Rule: Port number = intended service, not encryption status. To confirm encryption: Wireshark. Readable payload = unencrypted, regardless of port. Binary ciphertext = encrypted.
Trick 2 VPN Covers All Applications — The Wrapper Solution for Legacy Protocols

When the exam presents a scenario where a legacy application cannot be replaced or reconfigured to use encryption, the answer is almost always VPN. This works because a VPN operates at the transport layer, wrapping all traffic from the device before it leaves the operating system.

  • Application-level fixes (like switching Telnet to SSH) require changing the application. If the application is a vendor-supplied legacy system that cannot be modified, application-level fixes are not available.
  • VPN adds encryption transparently below the application layer. Telnet, FTP, IMAP — all traffic is encrypted by the VPN regardless of whether the application itself supports encryption. The application sends plaintext to the VPN client; the VPN client encrypts it before transmission.

When to choose VPN over application replacement:

  • The application cannot be changed (vendor system, legacy hardware)
  • Multiple applications need protection simultaneously
  • Users are connecting over untrusted networks to a corporate network

Common wrong answer to reject: “Replace the FTP server with SFTP” when the scenario states the application cannot be modified. VPN is the correct answer when replacement is not an option.

Rule: VPN = transport-layer encryption wrapper that covers all applications. Legacy app that cannot be replaced + need encryption = VPN. App-level fix requires modifying the application; VPN does not.
Trick 3 WPA3 Protects Only the Wireless Hop — Not the Whole Path

The exam uses WPA3 as a distractor in scenarios where the threat extends beyond the wireless segment. WPA3 is excellent at what it does — per-device, per-session wireless encryption — but its scope is strictly limited to the path from the wireless device to the access point.

  • WPA3 prevents other wireless devices on the same AP from reading your traffic. Even if they know the Wi-Fi password, they cannot decrypt your session because each device gets unique cryptographic keys.
  • WPA3 does not protect traffic beyond the access point. Once your data travels from the AP into the wired network, WPA3 has done its job. If the wired network is untrusted (ISP, corporate backbone, public infrastructure), WPA3 offers no protection there.

Exam scenario: A user connects to WPA3 Wi-Fi at a coffee shop. An attacker with access to the wired network behind the AP captures the user’s unencrypted HTTP traffic. WPA3 did not fail — its job is the wireless link only. The fix is to also use HTTPS or a VPN.

Scope comparison:

  • WPA3: device → access point (wireless segment only)
  • VPN: device → VPN concentrator (entire path, wired and wireless)
  • HTTPS: browser → web server (end-to-end, application specific)
Rule: WPA3 = wireless link protection only. Threat beyond the AP = WPA3 is not sufficient. VPN or HTTPS needed for full-path protection.
Trick 4 The Protocol Substitution Map — Memorize the Pairs

The exam recycles the same insecure-to-secure substitution pairs across multiple question types. If you have these seven pairs memorized, you can answer instantly without reasoning through the question. The pattern is always: “Which protocol replaces [insecure] for [function]?”

InsecurePortSecure ReplacementPort
Telnet23SSH22
FTP21SFTP / SCP22 (via SSH)
HTTP80HTTPS443
IMAP143IMAPS993
POP3110POP3S995
SMTP25SMTPS465 / 587
Open Wi-FiWPA3

Memory shortcut: The “S” suffix on email protocols (IMAPS, POP3S, SMTPS) always means TLS encryption is added. SSH/22 absorbs both Telnet and FTP functions. HTTPS is HTTP plus TLS on 443.

Rule: Learn the seven pairs. Any exam question asking for a secure replacement is asking for one of these. “S” suffix = TLS added. SSH/22 replaces Telnet/23 and FTP/21.
Practice Scenarios
Scenario A: A network administrator is asked to verify whether a recently deployed email server is using encrypted connections for email retrieval. The server is configured to accept IMAP connections on port 993. The administrator opens Wireshark and captures traffic between an email client and the server during login. What does the administrator see if the connection is properly encrypted? What do they see if it is not? What is the correct port and protocol for encrypted IMAP, and what does a port number alone prove?
Answer: If the connection is properly encrypted (IMAPS with TLS), the Wireshark capture shows binary ciphertext payload. The administrator sees packet headers (source/destination IP, port 993) but the payload is unreadable binary data. No usernames, passwords, or email content is visible in plain text. If the connection is not encrypted (plain IMAP on port 993, which is misconfigured but possible), the administrator sees readable ASCII text in the payload: the IMAP commands, authentication credentials, and email content in cleartext. The correct protocol is IMAPS (IMAP Secure), which wraps IMAP in TLS. The standard port is 993. The insecure version, plain IMAP, uses port 143. The port number alone proves nothing about encryption. Port 993 is the assigned port for IMAPS, but an administrator could misconfigure a server to accept unencrypted IMAP on 993, or encrypt IMAP on a non-standard port. Port assignment is a convention, not an enforcement mechanism. Wireshark payload inspection is the only definitive confirmation of encryption status.
Scenario B: A manufacturing company uses a vendor-supplied industrial control system that communicates with a central server using Telnet on port 23. The vendor states the system cannot be upgraded and the protocol cannot be changed. The security team needs to protect this traffic from interception on the corporate network. A junior analyst suggests deploying SSH on the ICS server to replace Telnet. The security manager rejects this and proposes a VPN instead. Who is correct and why? What specific protection does the VPN provide that the analyst’s approach cannot?
Answer: The security manager is correct. The analyst’s proposal requires modifying the ICS server to run SSH, but the vendor has explicitly stated the system cannot be upgraded and the protocol cannot be changed. Application-level fixes (switching from Telnet to SSH) require the ability to change the application. When the application is immutable, application-level fixes are not available. A VPN solves this without modifying the ICS system. The VPN client runs on the device (or a gateway in front of it), encrypting all outbound traffic before it enters the corporate network. The ICS system continues to send Telnet plaintext to the VPN client, which encrypts it into the VPN tunnel. The corporate network sees only encrypted VPN traffic. At the VPN concentrator on the receiving end, the tunnel is decrypted and the Telnet session continues to the central server within a protected network segment. The specific protection VPN provides that the analyst’s approach cannot: VPN operates below the application layer. It adds transport-level encryption as a wrapper around all traffic from the device, regardless of what application or protocol is generating that traffic. The ICS Telnet application is unmodified; the VPN is transparent to it. This is the correct architectural approach when applications cannot be changed.
Scenario C: A sales representative works from coffee shops and airports, connecting to the corporate network over public Wi-Fi. The company has deployed WPA3 on all corporate office access points but has no control over public venue Wi-Fi infrastructure. The sales rep’s laptop needs to access a legacy order-entry application that communicates over unencrypted HTTP on port 80 and cannot be updated. An attacker at the same coffee shop attempts two things: (1) capturing the rep’s wireless traffic from the shared Wi-Fi AP; (2) capturing traffic at a network tap on the ISP link between the coffee shop and the internet. Which attack succeeds? What is the correct solution?
Answer: The public coffee shop Wi-Fi is not WPA3 — it is a public venue with infrastructure the company does not control. If the coffee shop uses WPA3, attack 1 fails: WPA3’s per-session unique keys prevent other devices on the same AP from decrypting the rep’s wireless traffic. If the coffee shop uses an open AP or WPA2, attack 1 succeeds: the attacker can capture and read the unencrypted HTTP traffic directly from the wireless segment. Attack 2 succeeds regardless of wireless security. The ISP tap is beyond the access point. WPA3 terminates at the AP — it provides no protection to traffic on the wired network. Since the application uses unencrypted HTTP, the traffic is in cleartext on the wired link and visible to the ISP tap. The correct solution is a corporate VPN. The VPN client on the sales rep’s laptop encrypts all traffic — including the HTTP from the legacy order-entry application — before it leaves the device. The VPN tunnel extends from the laptop to the corporate VPN concentrator. Both the wireless segment at the coffee shop and the ISP link carry only encrypted VPN traffic. The attacker sees ciphertext at both interception points. The legacy application is protected without modification because VPN operates transparently below the application layer.