wood burning stoves 2.0*
The moose likes Security and the fly likes HTTPS over SSL/TLS Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "HTTPS over SSL/TLS" Watch "HTTPS over SSL/TLS" New topic
Author

HTTPS over SSL/TLS

Pedpano Silva
Greenhorn

Joined: Apr 14, 2005
Posts: 18
Hello,

Java has full support for HTTPS over SSL/TLS. So I was wondering if it solve all problems of internet communications, what do you guys think about it?
And what is the advantage to use HTTPS over SSL/TLS instead implement a algorithm to encrypt my data and transmit it trougth the internet?

Pedpano.
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
advantages and disadvantages for SSL/TLS

advantage:

- you take advantage of the countless hours put into a mature API (many people actually use and depend on it) implementing SSL/TLS.
- SSL/TLS is a standard spec--proven protocol.

disadvantage:
- overhead
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41621
    
  55
First, a slightly pedantic correction: you don't use HTTPS over TLS/SSL, you use HTTPS over TCP/IP. HTTPS uses TLS/SSL internally.

I'm not quite sure what you are getting at that HTTPS solves "all internet communications problems". It solves the problem of creating an encrypted channel for HTTP, no more, no less. If that's the only communication problem you're facing, then you're all set.

But sending unencrypted data over an encrypted channel is a different problem than sending encrypted data over an unencrypted channel. If you need the data to be encrypted outside of the channel -i.e., inside of the application- then HTTPS doesn't help. Overhead is not much of a consideration, because you incur that whether your code does the encryption, or SSL does it.


Ping & DNS - my free Android networking tools app
Hung Tang
Ranch Hand

Joined: Feb 14, 2002
Posts: 148
Originally posted by Ulf Dittmer:
But sending unencrypted data over an encrypted channel is a different problem than sending encrypted data over an unencrypted channel.

What do you mean by "sending unencrypted data over an encrypted channel"?

Anyways, the goal is to setup up a secure channel for communication, which involves a shared secret(key) known to communicating parties to do data encryption/decryption. The biggest problem is establishing that very key securely (normally done over an insecure channel) and there are several solutions available with benefits/drawbacks. For example, you can call meet up with your buddy in an alley and tell him/her your secret. Of course, this solution isn't very scalable and that is why there are crypto tools out there to help address that problem.


Overhead is not much of a consideration, because you incur that whether your code does the encryption, or SSL does it.[/QB]


Of course overhead is something you need to consider. Depending on your application and your scalability requirements, you may not need SSL because it may be an overkill. If large-scale key establishment is not a concern for your application (often the case for very simple applications), then why incur the costs of using SSL when simple encryption/decryption using something like RC4 will do. Buying and getting certificates, setting them up, writing and testing code that use them all need to be considered. It's just not about performance. Infact there's probably little to be gain by not using SSL once the key-establishment part is done in the SSL protocol.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41621
    
  55
What do you mean by "sending unencrypted data over an encrypted channel"?

I was talking about HTTPS. The original post compared HTTPS with doing encryption in the application process and then sending that over HTTP (i.e., encrypted data over an unencrypted channel).

Of course overhead is something you need to consider. ... It's just not about performance.

You post didn't mention what kind of overhead you were talking about. It seemed natural to assume that it was about performance. My bad if you meant something else.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: HTTPS over SSL/TLS