SSL/TLS Communication in OpenEdge - Documents - OpenEdge Development - Progress Community

SSL/TLS Communication in OpenEdge

You can use SSL/TLS communication between OpenEdge clients and servers, including Progress WebClient to communicate with OpenEdge as well as non OpenEdge application. You can also use SSL with HTTP (Hyper Text Transfer Protocol). When the two are used together, the resultant protocol is referred to as HTTPS, that is HTTP with added security.

SSL entails overheads when compared to unencrypted Transmission Control Protocol (TCP) connections. Establishing an SSL connection is a complex process in which initially there is an exchange of ten or more messages, some of which are highly encrypted. These messages are small, and the exchanges take place relatively quickly. However, when these numbers are multiplied by a significant number of application users, the application’s performance is affected.

So, it is a best practice to use SSL/TLS only when necessary within an application. Typically, you will not implement SSL throughout your application. A good example of limited implementation of SSL is Amazon.com. You could spend hours on this web site and never get to see the use of SSL (notice that only HTTP is used in the URL). Only when you are in the act of finalizing a purchase and relaying your personal or credit card information, does the protocol switch to HTTPS. At that point, only a tiny amount of data is exchanged, effectively curbing overheads for the Amazon servers.

Comments
  • SSL/TLS Communication in OpenEdge

    There's a noticeable move to make (web) sites using SSL throughout. This prevents data leakage by accidental errors. Google even ranks website higher when they use SSL. IMHO: nowadays the advice should be to use SSL everywhere unless you have a very very good reason to not to. Of course the mentioned examples are for public websites, but with the increased attention to security and the rise of cyber crime I think it goes for LOB application as well.