Exam CISM topic 1 question 360 discussion

CA cert

A. The certificate of the e-commerce server

The correct answer is (A) The certificate of the e-commerce server as validating the commerce server's identity depends on checking with the Certificate authority the server's certificate. (i.e. trusted third party just like the state department verifies your identity with a passport. Except in this case the state department is the certificate authority and the passport is the certificate) B. Phishing campaigns typically use valid SSL so this wouldn't help with that. You need to verify that you are indeed connecting to the correct server and not just any old server that has a certificate. C. The IP address is not a valid form of identification like a certificate is. D. The URL of the e-commerce server is not a valid option as DNS records could be poisoned and machines can be arp spoofed. Hell, even man-in-the-middle attacks can make this a bad form of identification. But a certificate is digitally signed and thus due to one-way cryptographic hashes and third-party validation (CA), it's a much more secure method to use option (A) certificates.

Answer B. The browser's indication of SSL use Secure transport protocol (such as SSL or TLS) encrypts Internet communication between the client and the e-commerce server to ensure confidentiality and integrity. When the client accesses the e-commerce site, the browser should indicate that SSL is being used by displaying a padlock icon or a green address bar. This indicates that the communication between the client and the e-commerce server is encrypted and that the server's certificate has been verified. The certificate of the e-commerce server (Option A) can be verified by the client to ensure that the server's identity is valid and trusted, but it does not confirm that the communication is encrypted.