2

I'm porting a web app to a mobile device and working with the major carriers to minimize our bandwidth use, but need to maintain security.

The SSL handshaking overhead associated with HTTPS is more than 50% of the bandwidth currently. Can someone recommend a lightweight, low bandwidth alternative to HTTPS?

The payload is HTTP/XML, but can be modified to any format. I'm using Ruby on Rails so something with a Ruby library is ideal.

the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Chirag Patel
  • 5,819
  • 8
  • 35
  • 38
  • 2
    The handshaking involved in HTTPS is what helps ensure that your private stuff stays private. I kinda doubt you're going to find a useful way to avoid all that and still provide the security benefits that HTTPS provides. The best you might be able to do is tell the server to use only a very small subset of the ciphers it can understand...but then you're sacrificing compatibility. – cHao May 25 '11 at 02:24
  • 2
    How did you get to that 50% number? The handshake should only be at done when the connection is established. After this, there's very little overhead. It shouldn't really be such a big total overhead. Last time I checked, the biggest TLS handshake message was the CertificateRequest if it contains a long list of acceptable CAs, if you're using client certificates. – Bruno May 25 '11 at 02:27
  • 2
    @Bruno: If the client doesn't make requests often enough to hold the connection open, it'd have to reconnect (and do all the handshaking stuff again) each time. For tiny requests, the handshakes could easily consume more bandwidth than the actual requests. – cHao May 25 '11 at 02:31

1 Answers1

1

It sounds like your connection is short lived, and your payload small. Would it be possible to hold the connection open, and send multiple "messages" through it, that way, as more responses get send, your SSL overhead becomes a smaller portion of the cumulative data transfer. This would avoid the need to repeat the handshake. HTTP has some keep-alive capabilities with it, hopefully those can be applied in Ruby to a SSL connection.

Thanatos
  • 42,585
  • 14
  • 91
  • 146