Good morning, I published for the first time a website with IIS 6 under Win 2003 servers (web edition). Following some tutorials I created a Certification Authority on another W2K3 server (standard edit.) and produced a digital certificate for the webserver and published the website on the https (443) port. I also installed the security certificate on the webserver and then on some clients, importing this certificate as coming from a reliable and trusted CA. Until here all it works well and browsers (IE 7 and 8 and Firefox 3) don’t show errors related to that certificate.
I have seen that IIS, in the default website properties has a “Directory Security” tab and a submenu named Secure Communications in which there are two flags: one is “require secure channel” and another one is “require 128 bits encryption.”
Sniffing the traffic between client and server I have seen 3 cases:
1) with both the above flags inactive (but having client and server in relationship of trust by means of the installed certificates, in fact the browser shows the symbol of a closed and turned on padlock) it happens that I succeed in reading some lines in clear text (Organizational Unit, the name of the Certification Authority’s server, other data) but no application and neither html/java/javascript or similar language data are visible. In this case the sniffer shows the presence of the SSL among the protocols of the data flow between client and server.
2) activating only the “require secure channel” flag it happens that following the “TCP stream” (I use Wireshark) I succeed in reading in clear text only the public name of the server and nothing else. I see here also the presence of SSL protocol in the communication flow.
3) activating the flag “require secure channel” and also the flag “require 128 bits encryption” I don’t succeed in reading nothing of useful.
Now some questions, caused by my inexperience / ignorance:
a) Does the traffic that transits on https protocol is encrypted for the only reason I am using the 443 port or are there other elements which are responsible for the encrypted flow creation between client and server? I am supposing could have some roles the digital certificates between client and server or forcing SSL / TLS from the browser options, or something else?
b) in the cases quoted above I always seen the presence of SSL, but it seems more secure to activate the two flags mentioned above: does someone know how to explain me if the traffic is encrypted in each of the three cases and if traffic is encrypted someone could explain me how to understand which is the level of Encryption used in each case?
c) Does the fact that the digital certificate created by me has been produced with a 1024 or 2048 encryption key implies that such key is also used for https channel encryption or it only means that key is used to secure only the trust relationship between client and server but not the data that client and server will exchange?
I hope to have succeed in explaining the issue and I am grateful to everyone will come to help me with suggestions and clarifications.