HTTPS without SSL certificate

[GherkinDilds]

I am a little confused about the relationship between HTTPS and SSL certificates. I would like to have higher security on some pages without having to invest in an SSL certificate at this time.

Is any communication conducted between HTTPS automatically encrypted, ie. default function is to encrypt? Also, is an SSL certificate required in order for it to work?

If I change the login page of my website from HTTP to HTTPS will that mean information submitted on that page will be encrypted even if I don't have an SSL certificate?

How can I achieve higher security, do I need to modify .htaccess?

[JPC-Bilal]

Hi GherkinDilds,

Unless and until you install a SSL Certificate on your site, no encryption will be done and you will not be able to access your site using HTTPS. Actually SSL provides the information that is required to encrypt the contents and it SSL is not available encryption cannot be done. For more details please open a ticket and Techs will assist you. Thank you.

[Ron]

If you are on a shared server, you used to be able to access your site over the shared ssl certificate at
https://yourServerName.nocdirect.com/~yourAccountName/
(Don't forget the trailing slash)

I don't know if that's been changed, and I don't think it works on a vps, but I'm not sure about anything at my age.

This is not an ideal situation, but it is available.

Are you using the secure ports to access CPanel and webmail?

[GherkinDilds]

I am running a VPS with Plesk. So HTTPS only encrypts with an SSL certificate, otherwise it is the same security as standard HTTP?

[Ron]

I am not sure what you're asking.
If you want information exchanged between the browser and the server to be secure, excluding some possible exotic approaches you will need to purchase and install an SSL certificate, and then your pages and forms that you wish to be secure will all need to be run through the secure protocol httpS:

This does not by itself make your website itself secure.
It does not make your login process and authentication better.
It simply prevents man-in-the-middle from reading the exchanged data (including passwords during login).

[GherkinDilds]

So HTTPS has no benefit or additional security without an SSL certificate? What I am trying to ask is whether the HTTPS protocol in itself, provides encryption? Will have any additional security by using HTTPS and HTTP even though I am not using and SSL certificate?

[Spathiphyllum]

So HTTPS has no benefit or additional security without an SSL certificate? What I am trying to ask is whether the HTTPS protocol in itself, provides encryption? Will have any additional security by using HTTPS and HTTP even though I am not using and SSL certificate?

The protocol only ensures that your connection to a particular server is "signed." It requires that the server posses a certificate that identifies explicitly who it is and present it upon initial connection with a client. The protocol does not encrypt, but the certificate itself is encrypted.

HTTPS just validates the server-client connection. A self-signed certificate (the server produces its own via the root account) works just as well as a third-party one but produces a warning to most clients. You purchase third-party certificates in order to avoid producing those warnings (and scaring visitors) and to provide an extra dose of insurance to potential consumers. No communication, again, is encrypted.

Typically, in order to actually encrypt data, your web application must provide the mechanism.

[Gwaihir]

No communication, again, is encrypted.

Typically, in order to actually encrypt data, your web application must provide the mechanism.

I don't think that's quite correct. Support for HTTPS with various level of encryption is built into the webservers (like Apache httpd) and browsers. It doesn't require much - if anything - special from your application itself.

The capabilities of server and browser determine what encryption levels can be used. Settings at both ends determine which of the possible options actually is used. I don't think there's any browser or server on the market that - without heavily messing with those settings - will setup an https connection without any encryption.


Basically, HTTPS is about two things:

• Communicating over a securely encrypted connection so no eavesdropping is possible along the way. What I just covered: both ends figure out what they can do (technically) and are allowed to do (by their owners) and usually come to an acceptable encryption level.
• Knowing who you're communicating with: not much point to the nice safe tunnel if you're not sure who's at the other end. That's what the certificate is for.

Also see http://en.wikipedia.org/wiki/HTTPS

[Ron]

No communication, again, is encrypted.

Typically, in order to actually encrypt data, your web application must provide the mechanism.

I'm no expert in this area, but these statements don't agree with what I think I know.

My understanding is this: When you communicate over https:, your communications are encrypted. When you see the little locked symbol on your browser, you can rely on the fact that your communications are encrypted. (frames and accepted warnings notwithstanding)

"Data encryption" is something else, except to the extent you consider communications to be data. In other words if you don't want anybody to be able to read the data -including the visitor themself- coming out of a client side application or applet or whatever, then the app/whatever will need to encrypt.

But encrypting the communications over https is transparent.

I think.

[Spathiphyllum]

Gwaihir and Ron,

Then I stand corrected. It seems that the HTTPS protocol actually does continue encryption of data after the handshake has been established. Thanks for the correction.

I try to proactively encrypt stored sensitive data in my applications, but that is quite different from the transmission over the web.

[GherkinDilds]

Thanks for all the comments. A question about Apache httpd, does that come with a JPC VPS plan? Also, if my server does have Apache httpd, the server itself can encrypt communications? How do I capitalize on this without purchasing an SSL certificate?

[JPC-NickO]

Hi,

Yes, by default, our Linux VPS plans come with Apache.


Yes, you can use self-signed certificates if you don't want to pay for a certificate but your visitors will get a warning message from their browser.

[Gwaihir]

How do I capitalize on this without purchasing an SSL certificate?

You can only capitalize on it with an extremly limited set of users, that can judge and accept the self signed certificate. For example: for the admins of your site, whom you could mail "a certifcate was installed today, please accept it".

For the general public, there's no point in a self-signed certificate. But frankly, if you want to use it to exchange sensitive data with a larger audience, why would the $30 or so for a certifcate be the hurdle?

[Vin DSL]

Basically, this comes down to a "trust issue"...

You, and your friends (if you have any), know who you are.

However, when you're dealing with robots, browsers, and sheep (e.g. trying to suck them dry), spending $30 placates them?!?!?

$30 seems cheap to prove that you're trustworthy. Then, again, if I spent $30, would you trust me?

So, it comes down to proving you're trustworthy to robots, browsers, and sheep that DON'T know you.

LoL! What an idiotic world we live in. No wonder everything is so %^&! up...

Let's go shopping: http://www.godaddy.com/Compare/gdcom...isc=sslqgo002a

I just whittled $49/yr at Go Daddy down to $12.99/yr. using Google Shopping.

That makes me trustworthy, right?!?!? A $13/yr Go Daddy cert?!?!?

LoL! What a bunch of fools...

EDIT

Er...

Of course, I am referring to robots, browsers, and sheep... not the geniuses in these forums.

I don't want anyone to think I'm condemning them.

Trust me!

EDIT2

As an aside...

I was talking with the guy that created Thawte the other night - Mark Shuttleworth. He owns Ubuntu now.

Separate issue, but you may find this interesting: http://en.wikipedia.org/wiki/Thawte

I *think* he trusts me, but how is one to know?

Really, it kind of messed with my mind.

I wonder if he has a cert... and if he did... would it make any difference.

No, he probably has lots of certs, and I don't have any.

I'm gonna have to think about this for a while.

Carry on...

[Ron]

After a pickled onion lunch, I'd trust you more after a Certs.