Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I use SSL certificate without using a HTTPS connection?

Tags:

https

ssl

I'm kinda confused. If SSL certificates help to indentify that you are connected to a trusted server, then why is it necessary to use an encrypted ( HTTPS ) connection ? Can I use SSL certificates for HTTP connections?

like image 671
johngreen Avatar asked Jul 09 '11 18:07

johngreen


People also ask

What happens if you dont use HTTPS?

Without HTTPS, any data passed is insecure. This is especially important for sites where sensitive data is passed across the connection, such as eCommerce sites that accept online card payments, or login areas that require users to enter their credentials.

Can I have HTTPS without certificate?

You CAN'T use https without any certificate. You need either to buy a trusted certificate or create a self-signed one for testing. Part of configuring your web server to use https is to point it to the correct key files. Of course, this applies to all web servers not only to iis.

Is HTTPS always necessary?

You should always protect all of your websites with HTTPS, even if they don't handle sensitive communications.

Does SSL enable HTTPS?

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate.


1 Answers

There's a misconception here. Certificates are not SSL. It's SSL that uses certificates, but certificates were born before SSL. Consequently yes, you can use X.509 certificates without SSL (you can sign the request and put the signature to, for example, HTTP headers). You can use certificates with SSL but without SSL encryption (some of NULL ciphersuites).

The convenience of SSL/TLS is that it's a standard, i.e. it's widely recognized and strictly defined, while with other schemes you'd need to implement something homemade. Yet I can remind you of WS-Security standard which does exactly what you are asking about -- when you send the request to the web server via HTTP and utilize WS-Security, you get certificate authentication without SSL (via plain HTTP).

like image 187
Eugene Mayevski 'Callback Avatar answered Oct 15 '22 19:10

Eugene Mayevski 'Callback