Win a copy of Mesos in Action this week in the Cloud/Virtualizaton forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS over SSL/TLS

 
Pedpano Silva
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

Java has full support for HTTPS over SSL/TLS. So I was wondering if it solve all problems of internet communications, what do you guys think about it?
And what is the advantage to use HTTPS over SSL/TLS instead implement a algorithm to encrypt my data and transmit it trougth the internet?

Pedpano.
 
Hung Tang
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
advantages and disadvantages for SSL/TLS

advantage:

- you take advantage of the countless hours put into a mature API (many people actually use and depend on it) implementing SSL/TLS.
- SSL/TLS is a standard spec--proven protocol.

disadvantage:
- overhead
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
First, a slightly pedantic correction: you don't use HTTPS over TLS/SSL, you use HTTPS over TCP/IP. HTTPS uses TLS/SSL internally.

I'm not quite sure what you are getting at that HTTPS solves "all internet communications problems". It solves the problem of creating an encrypted channel for HTTP, no more, no less. If that's the only communication problem you're facing, then you're all set.

But sending unencrypted data over an encrypted channel is a different problem than sending encrypted data over an unencrypted channel. If you need the data to be encrypted outside of the channel -i.e., inside of the application- then HTTPS doesn't help. Overhead is not much of a consideration, because you incur that whether your code does the encryption, or SSL does it.
 
Hung Tang
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Ulf Dittmer:
But sending unencrypted data over an encrypted channel is a different problem than sending encrypted data over an unencrypted channel.

What do you mean by "sending unencrypted data over an encrypted channel"?

Anyways, the goal is to setup up a secure channel for communication, which involves a shared secret(key) known to communicating parties to do data encryption/decryption. The biggest problem is establishing that very key securely (normally done over an insecure channel) and there are several solutions available with benefits/drawbacks. For example, you can call meet up with your buddy in an alley and tell him/her your secret. Of course, this solution isn't very scalable and that is why there are crypto tools out there to help address that problem.


Overhead is not much of a consideration, because you incur that whether your code does the encryption, or SSL does it.[/QB]


Of course overhead is something you need to consider. Depending on your application and your scalability requirements, you may not need SSL because it may be an overkill. If large-scale key establishment is not a concern for your application (often the case for very simple applications), then why incur the costs of using SSL when simple encryption/decryption using something like RC4 will do. Buying and getting certificates, setting them up, writing and testing code that use them all need to be considered. It's just not about performance. Infact there's probably little to be gain by not using SSL once the key-establishment part is done in the SSL protocol.
 
Ulf Dittmer
Rancher
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What do you mean by "sending unencrypted data over an encrypted channel"?

I was talking about HTTPS. The original post compared HTTPS with doing encryption in the application process and then sending that over HTTP (i.e., encrypted data over an unencrypted channel).

Of course overhead is something you need to consider. ... It's just not about performance.

You post didn't mention what kind of overhead you were talking about. It seemed natural to assume that it was about performance. My bad if you meant something else.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic