Can I use port 443 without SSL?

So you're running port 443 on a web server using plain HTTP (no TLS/SSL)?

Best practise is to close any ports that are not being used.

It depends on where the web root for port 443 is configured to look on your server. If this is the same location as your normal website then this could be a risk if there are certain items that need to be secured via configuration that is missing on this second webroot's setup.

If it is configured to look elsewhere, then files could be unintentionally exposed.

It is not a security risk to your users because they will not see https:// or the padlock in the browser address bar. They would simply see http://example.com:443/ which gives the same security as port 80 would (http://example.com/).


You can run HTTP on any port (and similarly HTTPS on any port). Conventionally, you run HTTP on port 80, HTTPS on port 443, as using these well defined ports lets users not specify the port number.

If you connect to https://example.com it will make a HTTPS request to port 443. If you are try connecting to a port not running SSL/TLS with the HTTPS protocol you'll get a SSL connection error. You can see this for example, if you try connecting to to https://security.stackexchange.com:80. This is what will happen if you run HTTP on port 443 at example.com; any user connecting to https://example.com will get that error.

Conversely if you try connecting to a port running HTTPS with your browser making the request via the regular old HTTP protocol, you'll get a 400 Bad Request HTTP error message (The plain HTTP request was sent to HTTPS port). You can see an example of this error by going to: http://www.time.com:443/. Please note that HSTS slightly complicates things; if you are running HSTS, your browser may automatically switch HTTP requests to HTTPS ones for a given site. (This is why you will not see this error if you try going to http://www.facebook.com:443/ and would be redirected to https://www.facebook.com).

If you want https://example.com requests to work, but do not need the security of SSL, you should get a properly signed certificate. This can be done for free with https://letsencrypt.org/ and there are many other low cost solutions. If you really do not want users using HTTPS, you can then have rewrite rules redirect from HTTPS to HTTP. (Please note to use these redirects without browser warnings about an invalid SSL certificate, you need a valid SSL certificate).

EDIT: Removed recommendation for StartSSL as it is no longer trusted by major browsers.


Running the port 443 the way you described can be troublesome because the data that transits through it will be encrypted but there is no way for a peer to be sure that it is communicating with you and not with someone else (man-in-the-middle attacks) the server will attempt to transmit in the clear while almost any conventional client will be expected encrypted traffic and (hopefully) abort with a 'failed SSL handshake' error.

Would attacker hack port 443 and come in to my website at port 80?

You have to worry about all open ports as I commented below. Do not open a port you do not need.

You may be interested to read this: Using SSL-port (443) for non-SSL traffic, bad idea?