• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 600
  • Last Modified:

Is HTTPS secure without a certificate?

Points of My Scenario:
1. I am admin of a web server on Windows Server 2008 R2 Enterprise.
2. IIS is enabled, running, and has a working website deployed
3. The website is configured with a certificate
4. Clients received HTTP Error 403 when attempting https (SSL) access
5. I removed the requirement for certificates in IIS 7: I unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates" (all under the website's SSL Settings).
6. Users are still able to access the site using https://<site_url_path>.
QUESTION: Are users' https connection encrypted/secure? Please provide documentation links where possible.
0
waltforbes
Asked:
waltforbes
2 Solutions
 
BCipolloneCommented:
Definitley not.  SSL is the security, if you disabled it that means there is no handshake and no encryption.  I will try to dig up some information but you can read about SSL from a google search.
0
 
PapertripCommented:
Sounds like all you have now is an HTTP server that is listening on port 443.  You are not secured.
0
 
BCipolloneCommented:
Here is some information on ssl: http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

You can have your own self signed certificate I believe, however it will throw errors when users connect.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Brad HoweCommented:
Yes is it still secure.. IF you are using a VALID SSL Certificate (3rd party certificate) and it is still in the BINDINGS you are fine.

Those options you are talking about are just to FORCE that only https is REQUIRED for this virtual paths or roots.

Say for example, you unchecked the "Require SSL" checkbox & I chose the "Ignore" option for "Client Certificates on /admin. - Some folder.

A user can browse to  http://domain.com/admin OR  https://domain.com/admin without issue.

If you checked them https://domain.com/admin works as previously BUT http://domain.com/admin will giving an error saying HTTPS is required.

Regardless of those options, browsing the site under HTTPS:// is under SSL.

Cheers,
Hades666

0
 
ShmoidCommented:
hades666 is correct. You can verify that your session is encrypted by clicking the Lock icon on the right side of the URL bar in IE 7 & 8. I think it was at the bottom status bar in IE 6. Chrome and Firefox look at the left of the URL bar. In each case you can see the certificate, whether or not it is encrypted and some other info.

Also, if you just have a self signed certificate that no one trusts as long as the user clicks to continue to the site the session is still encrypted even though the browser shows the certificate error in the locations mentioned above.

Bottom line. If https is used and a time valid, non-revoked certificate is in place your session is encrypted.
0
 
waltforbesAuthor Commented:
To hades666: wonderful explanation!
To Shmoid: excellent proof!
Now I can both explain & prove to superiors that we're secure despite the configuration.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now