Solved

Is HTTPS secure without a certificate?

Posted on 2011-09-23
6
584 Views
Last Modified: 2012-05-12
Points of My Scenario:
1. I am admin of a web server on Windows Server 2008 R2 Enterprise.
2. IIS is enabled, running, and has a working website deployed
3. The website is configured with a certificate
4. Clients received HTTP Error 403 when attempting https (SSL) access
5. I removed the requirement for certificates in IIS 7: I unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates" (all under the website's SSL Settings).
6. Users are still able to access the site using https://<site_url_path>.
QUESTION: Are users' https connection encrypted/secure? Please provide documentation links where possible.
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588499
Definitley not.  SSL is the security, if you disabled it that means there is no handshake and no encryption.  I will try to dig up some information but you can read about SSL from a google search.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36588508
Sounds like all you have now is an HTTP server that is listening on port 443.  You are not secured.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588546
Here is some information on ssl: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

You can have your own self signed certificate I believe, however it will throw errors when users connect.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 30

Accepted Solution

by:
Brad Howe earned 251 total points
ID: 36589126
Yes is it still secure.. IF you are using a VALID SSL Certificate (3rd party certificate) and it is still in the BINDINGS you are fine.

Those options you are talking about are just to FORCE that only https is REQUIRED for this virtual paths or roots.

Say for example, you unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates on /admin. - Some folder.

A user can browse to  http://domain.com/admin OR  https://domain.com/admin without issue.

If you checked them https://domain.com/admin works as previously BUT http://domain.com/admin will giving an error saying HTTPS is required.

Regardless of those options, browsing the site under HTTPS:// is under SSL.

Cheers,
Hades666

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 249 total points
ID: 36589433
hades666 is correct. You can verify that your session is encrypted by clicking the Lock icon on the right side of the URL bar in IE 7 & 8. I think it was at the bottom status bar in IE 6. Chrome and Firefox look at the left of the URL bar. In each case you can see the certificate, whether or not it is encrypted and some other info.

Also, if you just have a self signed certificate that no one trusts as long as the user clicks to continue to the site the session is still encrypted even though the browser shows the certificate error in the locations mentioned above.

Bottom line. If https is used and a time valid, non-revoked certificate is in place your session is encrypted.
0
 

Author Closing Comment

by:waltforbes
ID: 36590006
To hades666: wonderful explanation!
To Shmoid: excellent proof!
Now I can both explain & prove to superiors that we're secure despite the configuration.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question