By default, ArcGIS Server supports the use of HTTP and HTTPS protocols for communication. Since passwords sent over HTTP can be intercepted and stolen, Esri-built client applications that can connect to ArcGIS Server encrypt the user name and password using the RSA public-key cryptography algorithm before transmitting the credentials over the network. These applications include ArcMap, ArcGIS Server Manager, the Services Directory, and the ArcGIS Server Administrator Directory.
User credentials encrypted using the out-of-the-box RSA algorithm provide a reasonable level of security within a small or restricted local area network (LAN). However, when deploying an enterprise-wide ArcGIS Server deployment or a system that contains sensitive proprietary data, it is recommended to use only HTTPS to ensure secure transmission of user credentials.
Accessing ArcGIS Server URLs through HTTPS ensures network confidentiality and integrity. In high-security environments, any regular HTTP access to ArcGIS Server should be disabled. For instructions on how to do this, see Disable HTTP access to ArcGIS Server.
Supported TLS versions
Transport Layer Security (TLS) is a cryptographic protocol that provides communications security over a network. ArcGIS Server supports TLS versions 1.0, 1.1, and 1.2.
Beginning at 10.3, Secure Sockets Layer (SSL) support was dropped due to the SSL 3.0 POODLE vulnerability.