SSL Encryption

[Russ]

Hello. I am trying for the first time to use SSL. I sent to the web
server and set directory security to 'Require SSL' and 'Require
Certificates'. This seems to work, but I was a bit surprised that it
did not seem to slow down access, since I am moving quite a lot of
data at times. So I decided to look at the data using network monitor
on the server.

All looked ok, I could see the web server receive a request from the
client, and see the server send off a request for data to the back end
server (communications with the back end server are not encrypted as
they are on the LAN, and the back end server is behind a firewall). I
could see the data come back from the server, and see the text of the
data as expected. Then I could see the web server sending data
packets to the requesting client, and the data all appears to be
encrypted - nothing is readable.

But then I turned SSL off, and changed to accept but not require
certificates, and connected using a client which does not have a
certificate (using password authentication only). When I look at the
data being sent back to the client it still appears to be encrypted -
nothing in plain text.

So my question is, why don't I see plain text data being sent over the
Internet when I don't use SSL?

Thanks, Russ

 

[Kevin Yu [MSFT]]

Hi Russ,

First of all, I would like to confirm my understanding of your issue. From
your description, I understand that you need to know when we don't use SSL,
can we see the content of the page with network monitor. If there is any
misunderstanding, please feel free to let me know.

As far as I know, there are some other reasons which prevent us from
viewing the plain text. The contents might be compressed. You can try the
following steps to check if the site is compressed.

1. Open IIS manager.
2. Right click WebSits folder and select properties.
3. Under Service tab you will see compress application files checkbox. If
it is checked, the contents are compressed which are not readable.

HTH.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[Russ]

Thanks Kevin for the hint. However compression is not checked on the
WebSites folder. This is a Win2003, Web Edition server. Yes your
understanding of my question is accurate. When I use network monitor
to view the packets that are sent or received, over the internet,
to/from my client, shouldn't I be able to see plain text if SSL is not
in use?

Even when not using a certificate to connect, the packets still appear
to be encrypted.

Thanks, Russ

 

[Kevin Yu [MSFT]]

Hi Russ,

Could you let me know what kind of protocol you're using to access the
site, http or https? When Require Secure Channel is disabled, you can still
access the site with SSL encryption by https. Because it means you can
access with both http or https when the checkbox is unchecked. But when it
is checked, you can only use https. So using https will always make your
contents encrypted.

HTH.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[Russ]

Thank you Kevin. That was the answer - I did not realize that I was
still connecting with HTTPS, duh! Anyway that answers my question and
I have confirmed for myself that the data is encrypted. Now, if you
can, I have another question.

In our application we need to have our clients use client
certificates. I am able to request certificates to the local
certificate server via http:\\server\certsrv, and install them and all
is ok. But with real clients we do not want to use this mechanism.
We want to physically give the clients the certificate (on CD), and
have them use that one. But I cannot find out how to do this. How do
I request a certificate that is not automatically installed and how do
I find the resulting certificate so I can copy it to disk, and how do
I get the client's browser to install the certificate from the file.

I have spent a lot of time searching MS documentation and the Internet
for these answers without any luck, so if you can answer or point me
to appropriate documentation I would very much appreciate it.

Thank you, Russ

 

[Kevin Yu [MSFT]]

Hi Russ,

It was nice to hear that you have had the problem resolved. However, for
you second question, since I'm not quite familiar with iis security issues,
I suggest you post in microsoft.public.inetserver.iis.security newsgroup.
There will be more people replying to you there. HTH.

Kevin Yu
=======
"This posting is provided "AS IS" with no warranties, and confers no
rights."

 

[William Stacey [MVP]]

Using WSE, web services, or just plain old HTTP/HTTPS?

 

[Russ]

Um, not sure what WSE is. Using ASP.NET, aspx application. Clients
use IE to connect to the aspx via HTTPS.

Rather new to all this so forgive me if I don't understand your
question.

Thanks, Russ