It is a good practice to enable SSL on your web sites for security reasons. But there are times when you might not want to secure everything under an IIS Web Site because SSL carries with it some over-head that should be avoided.
Think about an ecommerce web site, such as www.amazon.com where there could be thousands of simultaneous users @ one point in time hitting the servers. One would want to conserve the processing cycles and use those cycles for serving the content instead of encrypting/decrypting SSL packets for the pages that really don't need SSL.
Also realize that a web site serves not only the dynamic content but also the static content such as CSS, JavaScript, images, etc. Using SSL for these types of files would be overkill for most, if not all, of the applications.
So what do we do? Well, enable SSL only on the resources (or pages) that require it. Following are some of the examples of the pages on which you would want to enable SSL:
- Create / Maintain Account
- Login
- Change or Reset Password
- Any other page that submits the sensitive data
Most of the developers don't know that it is possible to enable SSL on an individual file! What does that mean? That means you can keep a mix of http:// and https:// pages under your IIS Web Site (or Virtual directory for that matter).
The following list of steps walks you through the process of enabling SSL on a page in IIS 6.0. The sample project used in the walkthrough can be found here.
The following walkthrough also assumes that you have setup SSL on IIS server. See the following articles for more information about how to setup SSL on IIS.
There is couple of subtle-points that needs to be made, hence follow along the steps and pay special attention to the URLs and the behavior of the application.
Extract the attached zip file and create a virtual directory under IIS Web Site that has the SSL certificate installed on it.
The virtual directory on my machine looks like the following:
SSL not required on the IIS Web Site
Launch Inetmgr, right-click on the web site on which the SSL certificate has been imported, select Properties, go to the Directory Security tab and click on Edit button under the Secure communications sections.
This will take you to the following dialog-box which displays the SSL status of the web site. Notice that the Require secure channel (SSL) box is not checked.
Don't make any changes and dismiss all of the dialog-boxes. At this point in time, the IIS web site has the SSL certificate installed on it. No other changes to the configuration of the files have been made.
Browse files without configuring anything on the server
Browse both the Secure.aspx and NotSecure.aspx pages over HTTP. Both of the pages should run fine and you should see the following screens.
Now browse both of the files over HTTPS. On my machine I had setup HTTPS on port 8443, hence I had to specify that port in the URL. But if you have configured SSL on the standard port (which is 443), you don't have to specify the port in your URL.
So browsing pages over the secure connection yields the following output. (Disregard the Certificate Error message next to the URL – this is happening because the site URL specified in the certificate is different from the URL that I am using to browse the pages.)
Conclusion
As you can see, we have successfully browsed both of the pages over HTTP and HTTPS.
What does that mean?
That means:
- Importing the SSL certificate on an IIS web site allows that web site's resources to be invoked over SSL, but this does not enforce the use of SSL.
- The determination of whether or not to use SSL is made by the client (by using either the http:// or https:// prefix in the URL) and the server happily serves the content. The server does not have a say whether or not to use SSL.
- The same file could be browsed using both the http:// and https:// in the URL.
- It has not been demonstrated but checking the Require secure channel (SSL) check-box on the web-site itself would force all of the resources under that web site to be invoked over SSL which may not be a desirable behavior. You can check that box for the web-site and browse both of the pages over HTTP and HTTPS; this time around, you would not be able to browse pages over HTTP and would get an error from the server.
Require SSL for Secure.aspx page
This is not what we want! We want Secure.aspx page to use SSL all the time. We would have to forcefully require SSL for that page.
Select your virtual directory in Inetmgr, right click on the Secure.aspx page and select Properties. This will launch the Properties dialog-box for that file. On that dialog-box, click on the File Security tab and look @ the Secure communications section @ the bottom. This should look like the following:
Click on the Edit button and it will show you the following screen that you can use to enable SSL for that page.
Check the Require secure channel (SSL) box and click on OK. Don't change anything else on that dialog box. By doing that, we are forcing that SSL must be used while accessing the Secure.aspx page. Let's browse the Secure.aspx page over both the HTTP and HTTPS protocols.
Browsing the page over HTTP results in the HTTP error 403.4
As you can see, the web server has refused to serve the content because the client did not request content over HTTPS! Note that the similar request from the client to view the Secure.aspx page over HTTP had succeeded earlier because we had not forcefully required SSL for that page at that time, but after requiring SSL, the page can only be viewed securely.
Browsing the same page over HTTPS results in the following:
Conclusion
- We can force SSL for the selected resources on the server. This need not be forced at the web-site level. All we need to do is import an SSL certificate on the website and then require SSL for those selected resources.
- By the same token, we can require SSL for everything that lives under a virtual directory or folder for that matter.
So this should clarify some of the issues surrounding the concept of enabling SSL on selected resources.
Resources
Microsoft also recommends using SSL on selected pages. See the following for more information.
Improving ASP.NET Performance (read "Only Use SSL for Pages That Require It" section)
Checklist: ASP.NET Performance (Read "Security Considerations" section)
SSL Capacity Planning (read "Understanding SSL Performance" section)
Ensure that Secure Content is Served Over HTTPS Only
Information about working with Certificates in IIS 6.0
HOWTO: Use IIsWebFile to fine grain control IIS behavior
SSL Diagnostic Tool - This is a nifty tool for debugging SSL related issues.