Originally posted by Ulf Dittmer:
But sending unencrypted data over an encrypted channel is a different problem than sending encrypted data over an unencrypted channel.
What do you mean by "
sending unencrypted data over an encrypted channel"?
Anyways, the goal is to setup up a secure channel for communication, which involves a shared secret(key) known to communicating parties to do data encryption/decryption. The biggest problem is establishing that very key securely (normally done over an insecure channel) and there are several solutions available with benefits/drawbacks. For example, you can call meet up with your buddy in an alley and tell him/her your secret. Of course, this solution isn't very scalable and that is why there are crypto tools out there to help address that problem.
Overhead is not much of a consideration, because you incur that whether your code does the encryption, or SSL does it.[/QB]
Of course overhead is something you need to consider. Depending on your application and your scalability requirements, you may not need SSL because it may be an overkill. If large-scale key establishment is not a concern for your application (often the case for very simple applications), then why incur the costs of using SSL when simple encryption/decryption using something like RC4 will do. Buying and getting certificates, setting them up, writing and
testing code that use them all need to be considered. It's just not about performance. Infact there's probably little to be gain by not using SSL once the key-establishment part is done in the SSL protocol.