Solved

Is HTTPS secure without a certificate?

Posted on 2011-09-23
6
579 Views
Last Modified: 2012-05-12
Points of My Scenario:
1. I am admin of a web server on Windows Server 2008 R2 Enterprise.
2. IIS is enabled, running, and has a working website deployed
3. The website is configured with a certificate
4. Clients received HTTP Error 403 when attempting https (SSL) access
5. I removed the requirement for certificates in IIS 7: I unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates" (all under the website's SSL Settings).
6. Users are still able to access the site using https://<site_url_path>.
QUESTION: Are users' https connection encrypted/secure? Please provide documentation links where possible.
0
Comment
Question by:waltforbes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588499
Definitley not.  SSL is the security, if you disabled it that means there is no handshake and no encryption.  I will try to dig up some information but you can read about SSL from a google search.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36588508
Sounds like all you have now is an HTTP server that is listening on port 443.  You are not secured.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588546
Here is some information on ssl: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

You can have your own self signed certificate I believe, however it will throw errors when users connect.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Accepted Solution

by:
Brad Howe earned 251 total points
ID: 36589126
Yes is it still secure.. IF you are using a VALID SSL Certificate (3rd party certificate) and it is still in the BINDINGS you are fine.

Those options you are talking about are just to FORCE that only https is REQUIRED for this virtual paths or roots.

Say for example, you unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates on /admin. - Some folder.

A user can browse to  http://domain.com/admin OR  https://domain.com/admin without issue.

If you checked them https://domain.com/admin works as previously BUT http://domain.com/admin will giving an error saying HTTPS is required.

Regardless of those options, browsing the site under HTTPS:// is under SSL.

Cheers,
Hades666

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 249 total points
ID: 36589433
hades666 is correct. You can verify that your session is encrypted by clicking the Lock icon on the right side of the URL bar in IE 7 & 8. I think it was at the bottom status bar in IE 6. Chrome and Firefox look at the left of the URL bar. In each case you can see the certificate, whether or not it is encrypted and some other info.

Also, if you just have a self signed certificate that no one trusts as long as the user clicks to continue to the site the session is still encrypted even though the browser shows the certificate error in the locations mentioned above.

Bottom line. If https is used and a time valid, non-revoked certificate is in place your session is encrypted.
0
 

Author Closing Comment

by:waltforbes
ID: 36590006
To hades666: wonderful explanation!
To Shmoid: excellent proof!
Now I can both explain & prove to superiors that we're secure despite the configuration.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SSL CSR question 2 33
Extending VM Disk to be larger than 2 TB ? 11 113
IIS 8.0 and Kemp Load Master 1 25
Restore a DC asap 11 44
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question