Can I use port 443 without SSL?

  • If I am running a web server on port 80 and I also have port 443 (HTTPS) turned on but it is not enforced. I did not self-sign or sign with a proper CA (i.e., I don't use SSL for my site), does leaving port 443 turned on pose a threat to my web server? For example, could an attacker hack port 443 and come into my website at port 80?

    What do you see as the added value of using port 443 versus only port 80?

    I could see some value in being able to respond on https:// and redirect it to http:// without a server error, but that won't happen just by leaving 443 open (unless I'm much mistaken) - you'll have to have a proper SSL certificate for even that to work, and if it's self signed your users are still going to get the warning about an untrusted certificate.

    If you want a proper SSL certificate for free, just to allow the https:// protocol to work, this was the first result on Google - I make no guarantees as to their reliability or trustworthiness, but it's the only one I saw (in 3 minutes of searching) that was free for a full year cert that is renewable.

    Please define what you mean by "turned on".

    I'm not sure I understand. Are you running https or not? In one sentence you say you're using https, in the next you say you're not using SSL. Which is it? https is http over SSL. You can't run https without using SSL.

    Sorry for the confusion. It means SSL is not enforced on my site as my site is for information and there are no passing of sensitive information. I guess in order not to complicate things, it is better to turn it off

  • So you're running port 443 on a web server using plain HTTP (no TLS/SSL)?

    Best practise is to close any ports that are not being used.

    It depends on where the web root for port 443 is configured to look on your server. If this is the same location as your normal website then this could be a risk if there are certain items that need to be secured via configuration that is missing on this second webroot's setup.

    If it is configured to look elsewhere, then files could be unintentionally exposed.

    It is not a security risk to your users because they will not see https:// or the padlock in the browser address bar. They would simply see http://example.com:443/ which gives the same security as port 80 would (http://example.com/).

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM