1

Here is the context: I am in the development of the administration website of a public website. The users of the administration website are just few employees of a company and I don’t want to make them use HTTP in order to prevent a man-in-the-middle attack.

If I understand well, using HTTP would allow anyone who has the ability to sniff the packet (internet service provider, a malicious guy « listening » to Wifi signal, ...) to catch the login and password when someone log in to the administration website, right?

I read everywhere to use HTTPS and buy some kind of certificate but I am not willing (unless you give me a good reason) neither to pay for this, nor to get one for free in order just to have a green light on the web browser of my users.

As the title of this question points, I don’t understand if:

  • The HTTPS certificate is entirely part of the secure communication channel which means that I would have to choose between HTTP or HTTPS but nothing between.

or if

  • The HTTPS certificate is just something added on top of the secure communication channel to give users some « sense of confidence » by a trusted third party. Which, in this case, would mean that I can choose between HTTP (everyone can sniff the packet), HTTPS without a certificate (secure communication but no green light), HTTPS with a certificate (secure communication with a green light).

or

  • Something else.

I really don’t see the point of getting a certificate because if someone, despite all technical difficulties, succeed at putting in place a man-in-the-middle attack between one of my user and my web server, in my perception, it does not seem so much added effort to put in place the same attack between my user and the certificate authority.

I must certainly miss something here, can anyone point me any direction?

Thanks

1 Answers1

1

The certificate is necessary for the communication to be secure. See Wikipedia: Public Key Certificate for more detail. If you don't want to pay for one, you could create a self signed certificate (the process varies depending on the web server you are using) but that would require the user to explicitly accept the certificate (each browser has it's own method of doing this).

That may be ok being that this is an admin section and not publicly accessible, but I would still recommend that you buy a certificate. The hassle of creating a self signed one, along with requiring the users to accept it is not worth the few dollars an ssl certificate costs.

I really don’t see the point of getting a certificate because if someone, despite all technical difficulties, succeed at putting in place a man-in-the-middle attack between one of my user and my web server, in my perception, it does not seem so much added effort to put in place the same attack between my user and the certificate authority.

That's not quite how SSL works. Over HTTPS, all communication is encrypted when the browser sends it so even if someone were to sniff it, it would be useless.

yohaas
  • 126
  • 4
  • Thanks for you answer, I understand now that certificate is fully part of the HTTPS protocol. However, I am still confuse about few things. So I ask a new [question](http://stackoverflow.com/questions/14463492/is-self-signed-and-or-expired-https-certificates-worse-than-just-using-http) –  Jan 22 '13 at 16:41