So I’ve just installed XAMPP today, and I noticed that the index.php had a check to see if it was accessed through HTTPS. Before that, I thought that in order to use SSL security, you need a certificate, but I am in doubt now.
At this point (Please do correct me, that is the whole point of this question!), my own research has led me to believe that the Certificate only provides information about the location you are accessing. If no Cert is found, it is up to the client to determine if he/she trusts the connection.
The XAMPP index page contains this check:
<?php
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
$uri = 'https://';
} else {
$uri = 'http://';
}
$uri .= $_SERVER['HTTP_HOST'];
header('Location: '.$uri.'/xampp/');
exit;
?>
Alright, so I access my Localhost through https://localhost, and the Firefox “Do you trust this website?” page appeared (and the question is: Can I trust myself? 😉 ).
After that, I created my own little test.php, with the following code:
<?php
echo "Hi. \n";
if(isset($_POST['firstname']) && isset($_POST['lastname']))
{
echo "Your Firstname is ".$_POST['firstname']." and your Lastname is ".$_POST['lastname'];
echo "\r\n\r\n";
if (!empty($_SERVER['HTTPS']) && ('on' == $_SERVER['HTTPS'])) {
echo "You are using SSL, arentcha? :)";
} else {
echo "Hmm.. No SSL!";
}
}
?>
I then created a Delphi application that connects to http://localhost/test.php, and to https://localhost/test.php, aswell as http://jeffijoe.com/test.php and https://jeffijoe.com/test.php with the TIdHTTP control (and for the SSL, I hooked up a TIdSSLIOHandlerSocketOpenSSL to the TIdHTTP‘s IOHandler property.
Here is the code for that:
Var
Src : TStringlist;
location: String;
begin
if RadioButton1.Checked then
location := 'localhost' else location := 'jeffijoe.com';
if RadioButton3.Checked then
Protocol := 'http' else Protocol := 'https';
Memo1.Clear;
Src := TStringlist.Create;
try
Src.Add('firstname=Jeff&lastname=Hansen');
Memo1.Text := IdHTTP1.Post(Protocol+'://'+location+'/test.php',Src);
finally
Src.Free;
end;
end;
Here are the results:
http://localhost/test.php – Expected output
https://localhost/test.php – Expected output (It aknowlegdes I am using HTTPS!)
http://jeffijoe.com/test.php – Expected output
https://jeffijoe.com/test.php – Fail! 404 Not Found!
My jeffijoe.com is hosted on a regular shared hosting account.
So – the questions are: Was the HTTPS to Localhost truly “secure”? And how come the HTTPS connection to the Jeffijoe.com location failed, when it didnt on my Localhost? How about the Certificates? Are they required? Is it possible to set up the secured connection without having to purchase an overpriced certificate?
The connection is safe from sniffers, ie what goes over the wire is encrypted. But as the certificate is self-signed, there is no guarantee that the other side is really who they pretend to be, that’s exactly the point of certificates: a third party guarantees that the other side has been verified to be who they pretend to be.
The reason it worked on your local XAMPP box is that it carries a so-called self-signed certificate, and the server infrastructure to manage https communications, both of which are more than probably lacking on your hosted site.
In the end it depends on what you want to achieve: if the communication just has to be safe from sniffing, self signed certificates work just fine. If you need to prove you are who you pretend to be, you need a certificate issued by a specialized company.
EDIT: to make this exercise more interesting: the cert system can work both ways, ie the server proves to you that it is genuine, and thanks to a so-called client certificate you can prove to the server you are who you pretend to be. Depending on your use case exploring cllient-side certifcates could be quite useful, but be warned it’s not easy.