0

This question may be silly but I've a hard time understanding TLS 1.2 and accessing a website via HTTPS.

I've received a report from a web security tool that my website is not HTTPS and I have to enable TLS 1.2 on the server. As per my understanding to make a website HTTPS I have to add a security certificate to the website and enable HTTPS in my IIS, but as per the suggestion my website becomes HTTPS once I enable TLS 1.2 in server.

My question is: is enabling TLS 1.2 is enough to make a website HTTPS? If yes, are certificates are not required for that? Do I need to enable both TLS 1.2 and IIS level HTTPS?

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
Jay
  • 1
  • 1
  • HTTPS just means HTTP-over-TLS. TLS is a tunnel. And yes, you need a certificate to enable TLS. –  Aug 28 '20 at 13:29

1 Answers1

3

TLS 1.2 is a protocol. HTTPS is HTTP over TLS. While TLS supports some methods to protect the connection without certificates, browsers don't - the certificate is required to make sure that the expected server is reached (i.e. protection against man in the middle attack).

To use HTTPS (and thus TLS) with a browser as a client you need to enable both HTTPS in your server and also provide a certificate. You might additionally restrict the accepted TLS protocol version to TLS 1.2 and better.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Ok, so if I'm accessing a URL without browser (WCF service to WCF Service) then do I need to enable HTTPS in server or enabling TLS 1.2 is enough? – Jay Aug 28 '20 at 13:39
  • 1
    @Jay: Almost all HTTPS client expect a certificate. But you could write your own client which uses a different method for authentication of the peer, like PSK. Of course, the server would need to support this too and the typical web servers don't. – Steffen Ullrich Aug 28 '20 at 13:46