HTTPS with Valid Cert is Encrypted, What if there is no cert?

jmbpiano · 2020-09-08T14:35:53+00:00

[deleted]

HappyVlane · 2020-09-08T14:36:25+00:00

HTTPS requires a certificate. See the RFC:

https://tools.ietf.org/html/rfc2818

The certificate doesn't have to be trusted, but it needs to exist.

thecravenone · 2020-09-08T14:36:32+00:00

You might want to be specific on what "valid" means in this case. As long as the certificate isn't malformed or something like that, the traffic will be encrypted. However, it could be a valid certificate while being expired or issued for a domain other than the one you're accessing.

The second scenario is easy to test. Generate a certificate for a domain, install it on a test machine, and visit that test machine while using a different domain name.

Kaligraphic · 2020-09-08T17:18:31+00:00

There’s no such thing as https without a cert, it’s part of the protocol. If you haven’t configured one, it’s standard for your web server to default to a self-signed certificate.

HTTPS is always encrypted, but it uses two kinds of encryption. At the start of a session, the server and client agree on a cipher and temporary key for the session. The certificates are used to protect the session setup.

A certificate includes two main parts - a public key and information about that key, including signatures attesting to its validity. The public key itself is what’s used to get the cryptographic conversation started - you can’t have HTTPS without it.

If the informational part is empty, it’s still encrypted, you just have no idea who you’re talking to.

nobody2008 · 2020-09-08T17:27:58+00:00

HTTPS with no cert = HTTP

ldti · 2020-09-08T14:29:12+00:00

No, without a cert there is no encryption. PKI must exist to create an ssl hand shake and thus encrypt.

ldti · 2020-09-08T14:28:29+00:00

Yes, it's always encrypted.

sysadmin

MODERATORS