[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Is HTTPS secure without a certificate?

Posted on 2011-09-23
6
Medium Priority
?
597 Views
Last Modified: 2012-05-12
Points of My Scenario:
1. I am admin of a web server on Windows Server 2008 R2 Enterprise.
2. IIS is enabled, running, and has a working website deployed
3. The website is configured with a certificate
4. Clients received HTTP Error 403 when attempting https (SSL) access
5. I removed the requirement for certificates in IIS 7: I unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates" (all under the website's SSL Settings).
6. Users are still able to access the site using https://<site_url_path>.
QUESTION: Are users' https connection encrypted/secure? Please provide documentation links where possible.
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588499
Definitley not.  SSL is the security, if you disabled it that means there is no handshake and no encryption.  I will try to dig up some information but you can read about SSL from a google search.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36588508
Sounds like all you have now is an HTTP server that is listening on port 443.  You are not secured.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588546
Here is some information on ssl: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

You can have your own self signed certificate I believe, however it will throw errors when users connect.
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 30

Accepted Solution

by:
Brad Howe earned 1004 total points
ID: 36589126
Yes is it still secure.. IF you are using a VALID SSL Certificate (3rd party certificate) and it is still in the BINDINGS you are fine.

Those options you are talking about are just to FORCE that only https is REQUIRED for this virtual paths or roots.

Say for example, you unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates on /admin. - Some folder.

A user can browse to  http://domain.com/admin OR  https://domain.com/admin without issue.

If you checked them https://domain.com/admin works as previously BUT http://domain.com/admin will giving an error saying HTTPS is required.

Regardless of those options, browsing the site under HTTPS:// is under SSL.

Cheers,
Hades666

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 996 total points
ID: 36589433
hades666 is correct. You can verify that your session is encrypted by clicking the Lock icon on the right side of the URL bar in IE 7 & 8. I think it was at the bottom status bar in IE 6. Chrome and Firefox look at the left of the URL bar. In each case you can see the certificate, whether or not it is encrypted and some other info.

Also, if you just have a self signed certificate that no one trusts as long as the user clicks to continue to the site the session is still encrypted even though the browser shows the certificate error in the locations mentioned above.

Bottom line. If https is used and a time valid, non-revoked certificate is in place your session is encrypted.
0
 

Author Closing Comment

by:waltforbes
ID: 36590006
To hades666: wonderful explanation!
To Shmoid: excellent proof!
Now I can both explain & prove to superiors that we're secure despite the configuration.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question