Your Opinion please - about SSL

[Mustafa]

Hi All,

I am currently in a discussion with a group of friends regarding the role of SSL.

My stand is......correct me if I am wrong....is that...

SSL was basically created so that applications developed on different platforms and / or by different programmers to have a common security scheme so that they can interoperate in a secure manner. As compared to a situation where each developer using their own security scheme which cannot be interpreted by the other....hence the need of a common scheme i.e SSL..

BUT say in a socket environment, where the server and all the client applications were developed by the same developer and that there is no chance of any other application developed by some other programmer to access the server, then there is no real need to use SSL to ensure security. Any kind of strong encryption algorithm used by the developer should be secure enough for it to operate on the internet for example...of course it still depends on the algorithm used...

What is your opinion on that...???
Love to know...

Regards

Mustafa

[wayside]

This is basically correct; however, if you have a framework available for free that you can use, why reinvent the wheel? Just use SSL.

And when the day comes (and it will come) that you discover that you really want/need to communicate to other programs (such as a web server, etc.) your program will work without having to make major changes.

Trying to anticipate how requirements might change in the future and building you code so that it is as easy as possible to make those changes is one aspect of being a good engineer. So is coding to standards. So even though it's a little more painful now, get an SSL implementation (there are free ones available) and use it.

[JMS]

I would disagree with you Mustafa..

SSL is not merely an encription scheme to protect ones data it is itself a protocol which potentially could use different encryptions methodologies (RSA, DES, etc ).....which sits on top of your application protocol..


There is not a guarantee just because two applications use SSL that they will be able to speak to each other. They must be designed to do so just like you would if you were to invent / reinvent your own security protocol... ( although there is a generic handshake property in SSL which will allow a program to know that it can't talk to another.

The Benifit of using SSL isn't so that any two disjointed applications can interact. The benifits of using SSL is that some bright folks got together to think up a security protocol that is

1) Secure. it works
2) Interoperable. not machine or hardware dependent
3) extensable. gives versatility to fit different application

So the question to use it or not doesn't come down simply to one of supporting a standard which will alow you to connect to more resources, rather it comes down supporting a standard that is known to provide reliable security while still not closing doors as to who you might want to speak to in the future, how you might want to speak to them, and what you might like to say.

A hand done protocol without serious thought would be very unlikely to accomplish all of these tasks... That's why you should use SSL..

where the server and all the client applications were developed by the same developer and that there is no chance of any other application developed by some other programmer to access the server, then there is no real need to use SSL to ensure security.

So the thought is that it's not the encryption mechanism which necessarily keeps you safe. It's also how you use encryption. What you choose to send, how and to whom. These are the questions SSL is intended to answer. Hand doing your own security methodology would be like interpreting your own Xray. Can you do it? Yes, but it doesn't take advantage of all the thought and safeguards which comes only through dedicated experts efforts.

[OReubens]

My stand is......correct me if I am wrong....is that...

Your stand is correct if you take that viewpoint to it, but there are other issues which may or may not apply. If all you need is to write your own secure communication, then SSL is no requirement, it's just one of many ways.

This is basically correct; however, if you have a framework available for free that you can use, why reinvent the wheel? Just use SSL.

Security is by nature a 'hard' subject to master and to implement correctly. And indeed it would make sense to benefit by using ready made wheels.
However sometimes SSL doesn't quite fit the bill. It may have too much overhead, or may not have the level of security you desire.

If you decide not to use SSL for whatever reason, it is still worth it to investigate other standard means of secure communications. As wayside noted, it's hard to anticipate future requirements, and adhering to standards will at least make part of your work less of a hassle.

[Yuriy Olshevskyy]

What does the home made security layer give you?

- Better security? (doubtfuly)
- Better performance? (maybe yes, maybe not)
- More bugs? (probably)
- More complicated code (definitely)
- Secure your job (have no idea)

[Mustafa]

Thank you for the great response....

Seems like no matter how proud and confident one may feel of their own security mechanisms, it would not convince the industry unless we adhire to the industry standards....

So it looks like I may have to yield to what is expected out there. The other thing is that SSL being on the transport layer, is probably more difficult to mess around with as compared to the one that I have created...

Wayside and OReubens...got your point thanks...it is just hard to swallow that after the months of carefully putting them together and am ready to take on the world..I still have to yield to the industry standards to get it accepted...Hmmph

JMS...most likely due to the shallow knowledge I have on SSL which made me avoid it in the first place...or was it the urge to prove to myself that I could do it too??...anyway...got your point thanks

Yuriy Olshevskyy ....yes...looks like in order to convince anybody I may have to reveal the mechanism itself which by doing so..will weaken it...so then I have to run around in circles which I think now the best thing to do is do what is expected....just the rebel in me I suppose....Sighhhh...

Great!!!...thanks

Best of regards

Mustafa