-4

Following the question posted How to make a website secured with https my question is comes from an overflow of SSL information.

A have seen a lot of examples of websites written in ASP.NET Web API or MVC that embed a HTTPS authorization into the website programmatically. I also know how to enable HTTPS on IIS.

I was working on developing a website and put HTTPS into my controllers. And following videos I have watched on pluralsight.com I added HTTPS on WebAPI, for my website. A coworker asked why I spent time doing that since I will just be enabling it on the IIS sever.

I don't know why I did it but I saw examples of both. From a junior developer frustration, can I enable HTTPS on the sever and be safe from unencrypted connections?

I assume that someone could hijack the sever and issue cert's that I could prevent from being used on my website by programmatically enabling HTTPS on my website, which would be on the client in addition to the server.

Community
  • 1
  • 1
Victor Frank
  • 39
  • 1
  • 5
  • HTTPS has nothing to do with authentication or authorization. – ZippyV Oct 16 '15 at 22:06
  • 3
    Are you conflating `AuthorizationFilterAttribute` with `RequireHttpsAttribute`? – Preston Guillot Oct 16 '15 at 22:07
  • @ZippyV you can use client cert for authentication when establishing SSL channel. So "nothing" is probably a bit too strong. – Alexei Levenkov Oct 16 '15 at 22:16
  • @AlexeiLevenkov Ok, *virtually nothing*. Let's not confuse Victor even more. – ZippyV Oct 16 '15 at 22:30
  • 2
    You seem to be asking four questions here. Try being more specific. – Eric Lippert Oct 16 '15 at 22:31
  • I tried to direct the question but I'm not positive what the simple question is. I want to know if I can trust having HTTPS enabled on the IIS sever is sufficient for encrypted connection. Or by having it programmed into the website will be additional secure. That's what my thought process is. Put it there twice and for sure it will be encrypted. – Victor Frank Oct 16 '15 at 22:55
  • @PrestonGuillot I was not clear before I was rolling my own HTTPS to handle different scenarios. But yes that would more appropriate for this question. – Victor Frank Oct 16 '15 at 22:58
  • 1
    It's still not clear what you mean. How are you rolling your own HTTPS? How are you programming it into the website? – mason Oct 17 '15 at 00:23

1 Answers1

0

Websites security and web server security are two areas that overlap. So to address your questions, you should study both areas and see which are the typical measures to assert risks and actions to remedy.

Generally speaking, HTTPS is a method to encrypt client/server communication, to verify server and/or client's identity. So it falls into the website security area.

Your coworker might just notice the fact that no matter how secure a site is, the server security is a completely separate area. But you should be aware that if a site is not secure, it also can be the Achilles heel of a web server that hosts it (for example, a whole server can be compromised just because a site on it is hacked).

Information security is a very complex concept, so I could not use such a short answer to reveal to you every aspects, but hope it can help you understand some of the basic facts.

Lex Li
  • 60,503
  • 9
  • 116
  • 147