The exam’s most common secure-protocols trap is using a port number to conclude that a connection is encrypted. This is wrong. Port numbers are routing assignments, not security guarantees. The exam exploits this in two directions:
- Port 443 does not mean HTTPS. An administrator could configure an HTTP server to listen on 443. Without inspection, you cannot tell from the port alone.
- Port 80 does not mean unencrypted. Tunneled traffic or a misconfigured encrypted service could use port 80.
The only reliable verification method is Wireshark packet capture. If the payload shows readable ASCII text (usernames, passwords, HTML), the connection is unencrypted. If the payload is binary ciphertext, encryption is in use.
Exam trigger phrases:
- “Verify whether a connection is actually encrypted” → Wireshark / packet capture
- “The connection uses port 443 — is it secure?” → Cannot confirm without packet inspection
- “How can you confirm credentials are not being transmitted in cleartext?” → Capture and inspect the payload
When the exam presents a scenario where a legacy application cannot be replaced or reconfigured to use encryption, the answer is almost always VPN. This works because a VPN operates at the transport layer, wrapping all traffic from the device before it leaves the operating system.
- Application-level fixes (like switching Telnet to SSH) require changing the application. If the application is a vendor-supplied legacy system that cannot be modified, application-level fixes are not available.
- VPN adds encryption transparently below the application layer. Telnet, FTP, IMAP — all traffic is encrypted by the VPN regardless of whether the application itself supports encryption. The application sends plaintext to the VPN client; the VPN client encrypts it before transmission.
When to choose VPN over application replacement:
- The application cannot be changed (vendor system, legacy hardware)
- Multiple applications need protection simultaneously
- Users are connecting over untrusted networks to a corporate network
Common wrong answer to reject: “Replace the FTP server with SFTP” when the scenario states the application cannot be modified. VPN is the correct answer when replacement is not an option.
The exam uses WPA3 as a distractor in scenarios where the threat extends beyond the wireless segment. WPA3 is excellent at what it does — per-device, per-session wireless encryption — but its scope is strictly limited to the path from the wireless device to the access point.
- WPA3 prevents other wireless devices on the same AP from reading your traffic. Even if they know the Wi-Fi password, they cannot decrypt your session because each device gets unique cryptographic keys.
- WPA3 does not protect traffic beyond the access point. Once your data travels from the AP into the wired network, WPA3 has done its job. If the wired network is untrusted (ISP, corporate backbone, public infrastructure), WPA3 offers no protection there.
Exam scenario: A user connects to WPA3 Wi-Fi at a coffee shop. An attacker with access to the wired network behind the AP captures the user’s unencrypted HTTP traffic. WPA3 did not fail — its job is the wireless link only. The fix is to also use HTTPS or a VPN.
Scope comparison:
- WPA3: device → access point (wireless segment only)
- VPN: device → VPN concentrator (entire path, wired and wireless)
- HTTPS: browser → web server (end-to-end, application specific)
The exam recycles the same insecure-to-secure substitution pairs across multiple question types. If you have these seven pairs memorized, you can answer instantly without reasoning through the question. The pattern is always: “Which protocol replaces [insecure] for [function]?”
| Insecure | Port | Secure Replacement | Port |
|---|---|---|---|
| Telnet | 23 | SSH | 22 |
| FTP | 21 | SFTP / SCP | 22 (via SSH) |
| HTTP | 80 | HTTPS | 443 |
| IMAP | 143 | IMAPS | 993 |
| POP3 | 110 | POP3S | 995 |
| SMTP | 25 | SMTPS | 465 / 587 |
| Open Wi-Fi | — | WPA3 | — |
Memory shortcut: The “S” suffix on email protocols (IMAPS, POP3S, SMTPS) always means TLS encryption is added. SSH/22 absorbs both Telnet and FTP functions. HTTPS is HTTP plus TLS on 443.