From a transmission security perspective there is very little difference between SST over a TLS tunnel and using a separate HTTPS connection. Both techniques use TLS 1.2 or 1.3, assuming your HTTPS server is set up correctly.
There may be performance differences. I haven't used SST in 15+ years, so I'm not sure how efficient SST is at marshalling large objects compared to a simple HTTPS post.
I assume since you want to transfer the file over an encrypted channel that the data in the file is sensitive. From a security perspective you need to think about authentication differences between the two approaches. Using SST, you only have to authenticate the connection one time. When transmitting the file over a separate connection, you need to authenticate that connection independently from the SST connection. You may need to manage two different certificates for the independent applications on the server.
On Sun, Aug 5, 2018 at 4:15 PM, Wayne Johnston <[hidden email]> wrote:
We have a client-server application that communicates over SST. For transmitting files between them, is there any advantage/disadvantage of alternatives:
1. Encrypting that SST communication via SSL (well, OpenSSL using TLS).
2. Using a separate HTTPS channel (a different port on the server).
Put another way - for security reasons it is best to encrypt both the SST communication as well as file transmission. Is there any pro/con of transmitting files over SST+TLS, as opposed to HTTPS?