Smalltalk Instantiations

client-server file transmission via HTTPS, as opposed via SST using SSL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Wayne Johnston
Reply | Threaded
Open this post in threaded view
|

client-server file transmission via HTTPS, as opposed via SST using SSL

Wayne Johnston
We have a client-server application that communicates over SST.  For transmitting files between them, is there any advantage/disadvantage of alternatives:
1. Encrypting that SST communication via SSL (well, OpenSSL using TLS).
2. Using a separate HTTPS channel (a different port on the server).

Put another way - for security reasons it is best to encrypt both the SST communication as well as file transmission.  Is there any pro/con of transmitting files over SST+TLS, as opposed to HTTPS?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Louis LaBrunda
Reply | Threaded
Open this post in threaded view
|

Re: client-server file transmission via HTTPS, as opposed via SST using SSL

Louis LaBrunda
Hi Wayne,

I'm not an expert but I think it is generally considered a bad idea to double encrypt anything.  I think it has more to do with weakening the encryption that it does with efficiency.

Lou

On Sunday, August 5, 2018 at 5:15:45 PM UTC-4, Wayne Johnston wrote:
We have a client-server application that communicates over SST.  For transmitting files between them, is there any advantage/disadvantage of alternatives:
1. Encrypting that SST communication via SSL (well, OpenSSL using TLS).
2. Using a separate HTTPS channel (a different port on the server).

Put another way - for security reasons it is best to encrypt both the SST communication as well as file transmission.  Is there any pro/con of transmitting files over SST+TLS, as opposed to HTTPS?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Wayne Johnston
Reply | Threaded
Open this post in threaded view
|

Re: client-server file transmission via HTTPS, as opposed via SST using SSL

Wayne Johnston
Sorry, I confused you.

Another way of asking my question is this:
Our client-server communication over SST can already be done using SSL and client/server certificates.
But when it comes to transmitting files back and forth, that can be done differently.
Should we just transmit files over that same SST channel?
Or is there some advantage in coming up with a separate HTTPS channel?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Douglas Swartz
Reply | Threaded
Open this post in threaded view
|

Re: client-server file transmission via HTTPS, as opposed via SST using SSL

Douglas Swartz
In reply to this post by Wayne Johnston
Wayne,

From a transmission security perspective there is very little difference between SST over a TLS tunnel and using a separate HTTPS connection. Both techniques use TLS 1.2 or 1.3, assuming your HTTPS server is set up correctly. 

There may be performance differences. I haven't used SST in 15+ years, so I'm not sure how efficient SST is at marshalling large objects compared to a simple HTTPS post. 

I assume since you want to transfer the file over an encrypted channel that the data in the file is sensitive. From a security perspective you need to think about authentication differences between the two approaches. Using SST, you only have to authenticate the connection one time. When transmitting the file over a separate connection, you need to authenticate that connection independently from the SST connection. You may need to manage two different certificates for the independent applications on the server.  

On Sun, Aug 5, 2018 at 4:15 PM, Wayne Johnston <[hidden email]> wrote:
We have a client-server application that communicates over SST.  For transmitting files between them, is there any advantage/disadvantage of alternatives:
1. Encrypting that SST communication via SSL (well, OpenSSL using TLS).
2. Using a separate HTTPS channel (a different port on the server).

Put another way - for security reasons it is best to encrypt both the SST communication as well as file transmission.  Is there any pro/con of transmitting files over SST+TLS, as opposed to HTTPS?

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "VA Smalltalk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/va-smalltalk.
For more options, visit https://groups.google.com/d/optout.
Free forum by Nabble Edit this page