0

We have a webapp that is build to use SSL for certain (but not all) types of requests. The webapp is using multiple subdomains, the number can change. This combination of features makes that the webapp requires a wildcard SSL certificate.

The webapp is used by some people, but not by a whole lot of them. We would like to keep the webapp running for those who use it, but has been determined that, at this point in time, it is not economically justifiable to pay for the wildcard certificate.

Since the webapp has no build-in method to drop the SSL-requirement (or more precisely, the webapp expects 'SSL-traffic' to be comming in through a separate vhost listening to the same subdomain), I thought that the easiest solution would be to just disable the SSL and keep (unecrypted) traffic running over port 443.

My big question is:
is it a bad idea to run non-SSL traffic over port 443 (and why)?

Improve this question

1 Answer 1

Reset to default
1

That doesn't sound terribly easy to me. Clients (and I assume we're talking about browsers here) expect http traffic to be served over port 80, and https traffic over 443. In order to change this to http over 443, that's going to require that you change your URL scheme to http, and then explicitly specify the port on each URL.

So, for an https URL like this: https://example.com/some-resource you will have to change it to: http://example.com:443/some-resource.

It seems to me that if you want to remove the SSL requirement, it would be easier to leave http running on port 80 so the only change you have to make to your URLs would be to remove the s from the scheme.

If you're wondering if you can serve http traffic directly to a client that is making an https request, allowing you to leave the URL the same, no, that should not work. The client is going to try to initiate a TLS handshake and when it doesn't get a TLS response, the connection will fail.

Improve this answer
4
  • 1
    The problem is that all public-facing resources (images, scripts, etc) are statically hosted in a different webroot. Merging all traffic to port 80 would require merging those resources, which could be done for scripts, but cannot be done for some images with the same name but different content.
    – Monika
    Commented Oct 11, 2014 at 14:58
  • 1
    @Monika So, there is no pain-free way to do this. If you don't want to continue buying certificates, your best bet is probably to leave HTTPS enabled, but set your server up to either do TLS without a certificate, or use a self-signed certificate. Either option will likely require some action from the users in order to work. There's more detail in this answer.
    – Xander
    Commented Oct 11, 2014 at 15:18
  • 1
    too bad, I didn't know web browsers tried to do a SSL/TLS handshake because of the https://, I thought it was initiated by the server indicating the need/requirement to use SSL/TLS.
    – Monika
    Commented Oct 11, 2014 at 18:09
  • 1
    @Monika Yup, the first step in an SSL/TLS handshake is the client hello from the browser.
    – Xander
    Commented Oct 11, 2014 at 18:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .