This is a simple solution for those of us wishing to use SSL whenever possible. Sites like Facebook, LinkedIn, The Pirate Bay, many more and hopefully soon to be many others offer an HTTPS as an option but only to those that try to use it.

HTTPS != Secure

I should probably say this because HTTPS/SSL is turning into a mindless buzzword.
Websites offering SSL do NOT...

• protect you from system attacks - a virus can be installed over SSL
• inherently hide the websites you're visiting - the browser URL will still be https://www.someweb2.0site.com/markmmanning
• mean that the website will always use HTTPS - Yahoo lets you connect using HTTPS and then automatically redirects you to HTTP after you've logged in

Websites offering SSL do...

• encrypt your web traffic from browser to web server
• protect you from attackers sniffing on your network

NoScript

NoScript R0ckz! I'm not even going to talk about them because you should know. Check them out here.

• Install NoScript
• Click on the the icon and go to options
• Click the Advanced tab and HTTPS
• In the "Force the following sites to use secure (HTTPS) connections:" add in all of your favorite websites
• Click ok and test it out

External Links

http://noscript.net/ - NoScript website
http://fscked.org/projects/cookiemonster - the reason why HTTPS doesn't mean you're secure. CookieMonster is a sidejacking tool with support for attacking SSL connections.

I just learned today that you cannot force the user of SSL on any part of an Exchange enabled website in IIS. You can still use SSL but apparently turning on the "Require Secure Channel(SSL)" option makes OMA not work. Here was the error I was getting:

If you have recently changed your password, the system may not yet have completed the change. Please wait a short time and try again. If this is not the case, your Exchange server mailbox has not been created. Please access your account via Microsoft Outlook or Microsoft Outlook Web Access to create your user mailbox. Please contact your system administrator for additional assistance.

I have to admit I've only set up the OMA site a half dozen times so there may be something out there that explains this issue better than I but I've found a bunch of websites that support this claim. One site makes a reference to a KB article that no longer exists.

The Steps

1. Open the IIS Management Console on the back-end Exchange 2003 server.
2. Right click the Exchweb virtual directory under the default Web site, and then click Properties.
3. Click the Directory Security tab.
4. Click Edit in the Secure Communications area.
5. Click to clear the "Require secure channel (SSL)" check box, and then click OK for all windows.

But I To Force SSL

The problem remains "What if you actually want to force SSL?" I had a hard enough time trying to have 50 users understand what the "S" in HTTPS meant. What I did was create a second site that was Exchange enabled. This site I forced SSL while the first site I left it optional. I sent an update to the end users explaining that there was a new mail website "https://www.website.com/mail" and made a few minor modifications [adding company logo] so that they could tell the difference in the hopes that they would think that new = upgrade. This way, if they used http instead of https, I could redirect them automatically.

External Links

http://www.petri.co.il/forums/showthread.php?t=10208 - Daniel Petri's website forum http://www.webservertalk.com/archive128-2004-3-166297.html - Forum article that makes a reference to the problem.