312-50V11 · Question #382
A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation aga
The correct answer is C. Requiring client and server PKI certificates for all connections. Mutual TLS, requiring both client and server certificates, is the strongest defense against man-in-the-middle attacks because it forces cryptographic authentication of both parties.
Question
A network security administrator is worried about potential man-in-the-middle attacks when users access a corporate web site from their workstations. Which of the following is the best remediation against this type of attack?
Options
- AImplementing server-side PKI certificates for all connections
- BMandating only client-side PKI certificates for all connections
- CRequiring client and server PKI certificates for all connections
- DRequiring strong authentication for all DNS queries
How the community answered
(52 responses)- A12% (6)
- B2% (1)
- C81% (42)
- D6% (3)
Why each option
Mutual TLS, requiring both client and server certificates, is the strongest defense against man-in-the-middle attacks because it forces cryptographic authentication of both parties.
Server-only certificates authenticate the server to the client but leave the client unauthenticated, allowing an attacker to relay or intercept traffic while posing as a legitimate client.
Client-only certificates verify the client's identity but do not authenticate the server, leaving users vulnerable to connecting to a rogue server that intercepts their traffic.
Requiring both client and server certificates implements mutual TLS (mTLS), where each party must present a valid certificate and prove possession of the corresponding private key. This eliminates impersonation from either direction - an attacker cannot pose as the server to the client or as the client to the server - which is the core mechanism of man-in-the-middle attacks.
Strong DNS query authentication mitigates DNS spoofing and cache poisoning attacks but does not prevent MitM interception of the actual HTTPS session once a connection is established.
Concept tested: Mutual TLS as MitM attack remediation
Source: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
Topics
Community Discussion
No community discussion yet for this question.