Difficulty: Easy
Correct Answer: Incorrect
Explanation:
Introduction / Context:
This question tests foundational web security knowledge: whether plain HTTP protects confidentiality and integrity of data in transit, or whether security requires HTTPS (HTTP layered over Transport Layer Security).
Given Data / Assumptions:
Concept / Approach:
HTTP itself provides no encryption, integrity checking, or endpoint authentication. Anyone on the path can eavesdrop or tamper with requests and responses. HTTPS introduces encryption, integrity, and server authentication using certificates. Therefore, describing plain HTTP as “secure” is inaccurate; only HTTPS provides the necessary protections against passive and active network threats.
Step-by-Step Solution:
Identify the protocol: HTTP (no TLS) or HTTPS (with TLS).Evaluate security properties: HTTP = no encryption/integrity/authentication; HTTPS = encryption + integrity + certificate-based authentication.Conclude that security is achieved via HTTPS, not plain HTTP.
Verification / Alternative check:
Use a network sniffer on a test network. You will see readable headers and payloads for HTTP, while HTTPS traffic appears as opaque ciphertext.
Why Other Options Are Wrong:
“Secure only on private LANs” is unsafe—internal networks can be hostile. “Secure with basic auth” is wrong because basic auth sends credentials in a reversible encoding unless used with TLS. Marking “Correct” would wrongly imply HTTP alone is sufficient.
Common Pitfalls:
Confusing authentication with encryption; believing that obfuscation or custom headers make HTTP secure; assuming VPNs always protect end-to-end (they do not if traffic exits the VPN).
Final Answer:
Incorrect
Discussion & Comments