Is it safe to use HTTPS without SSL certificates for my own domains?
I would like to run some encrypted connections between some of my own servers. Curl (or some other mechanism) can be used to connect using HTTPS without checking the SSL certificate. I am using PHP, but the language is probably irrelevant for this question.
I am guessing that using HTTPS without an SSL certificate is at least more secure than making the same connection over plain HTTP, since at least it is encrypted and the attacker would have to do much more effort to intercept en to decrypt the information.
As far as I know, the SSL certificate only says, "This trusted third party says that the server you are connecting to belongs to the guys who claim they own it." If I connect my own domain name or IP address, I know I am the owner. What additional value does an SSL certificate have if I own both ends of the connection?
source to share
Do not check the ID of the connecting server to keep the connection open to potential MITM attacks. SSL / TLS can be used without certificates (with anonymous cipher suites ), but they are insecure (and disabled by default); as the TLS RFC says, "Please note that this mode is vulnerable to man-in-the-middle attacks and is therefore not recommended." In addition, the HTTPS specification itself expects an X.509 certificate.
Verifying the identity of the remote side is a necessary element to keep your system secure. It is impractical to secretly exchange data with a remote party that may not be who they claim to be (even if secrecy is guaranteed).
That being said, you don't need to go through a commercial certification authority. You can use self-signed certificates that you have to import separately for each client as a trusted certificate, or create your own institutional certification authority. There are tools for this, starting with OpenSSL CA.pl
(see the man page), TinyCA, or OpenCA among others. Some operating systems also provide their own CA capabilities.
If I connect using my own domain name or IP address, I know I am the owner. What additional value does an SSL certificate give if I own both ends of the connection?
The certificate ensures that you are actually connecting to your machine and that no traffic has been intercepted. Therefore, you need to verify that it is a certificate that you recognize.
source to share
SSL certificates are more for the mind of your customers or those who use your site. In any case, data is transferred over the same connections - it's just a matter of whether a third party certifies you as secure.
In my last job, we did all our internal data transfers on my last job using https / ftps, but until recently we didn't have an SSL certificate. Since the data transfer was internal, it didn't matter.
source to share