Solved

Is HTTPS secure without a certificate?

Posted on 2011-09-23
6
557 Views
Last Modified: 2012-05-12
Points of My Scenario:
1. I am admin of a web server on Windows Server 2008 R2 Enterprise.
2. IIS is enabled, running, and has a working website deployed
3. The website is configured with a certificate
4. Clients received HTTP Error 403 when attempting https (SSL) access
5. I removed the requirement for certificates in IIS 7: I unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates" (all under the website's SSL Settings).
6. Users are still able to access the site using https://<site_url_path>.
QUESTION: Are users' https connection encrypted/secure? Please provide documentation links where possible.
0
Comment
Question by:waltforbes
6 Comments
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588499
Definitley not.  SSL is the security, if you disabled it that means there is no handshake and no encryption.  I will try to dig up some information but you can read about SSL from a google search.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36588508
Sounds like all you have now is an HTTP server that is listening on port 443.  You are not secured.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 36588546
Here is some information on ssl: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

You can have your own self signed certificate I believe, however it will throw errors when users connect.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 30

Accepted Solution

by:
Brad Howe earned 251 total points
ID: 36589126
Yes is it still secure.. IF you are using a VALID SSL Certificate (3rd party certificate) and it is still in the BINDINGS you are fine.

Those options you are talking about are just to FORCE that only https is REQUIRED for this virtual paths or roots.

Say for example, you unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates on /admin. - Some folder.

A user can browse to  http://domain.com/admin OR  https://domain.com/admin without issue.

If you checked them https://domain.com/admin works as previously BUT http://domain.com/admin will giving an error saying HTTPS is required.

Regardless of those options, browsing the site under HTTPS:// is under SSL.

Cheers,
Hades666

0
 
LVL 8

Assisted Solution

by:Shmoid
Shmoid earned 249 total points
ID: 36589433
hades666 is correct. You can verify that your session is encrypted by clicking the Lock icon on the right side of the URL bar in IE 7 & 8. I think it was at the bottom status bar in IE 6. Chrome and Firefox look at the left of the URL bar. In each case you can see the certificate, whether or not it is encrypted and some other info.

Also, if you just have a self signed certificate that no one trusts as long as the user clicks to continue to the site the session is still encrypted even though the browser shows the certificate error in the locations mentioned above.

Bottom line. If https is used and a time valid, non-revoked certificate is in place your session is encrypted.
0
 

Author Closing Comment

by:waltforbes
ID: 36590006
To hades666: wonderful explanation!
To Shmoid: excellent proof!
Now I can both explain & prove to superiors that we're secure despite the configuration.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now