What exactly does the "Proxy TLS" option do on Blackberry handhelds and how does it affect data traffic from the mobile device to BES?

Question

Blackberry OS 7.0 | BES 5.x | AT&T

Can someone please explain what the "Proxy TLS" option does (under blackberry device menus Options >> Security >> Advanced Security Settings >> TLS >> Proxy TLS)

I want to understand the end-to-end impact of having this on or off and can't seem to find relevant documentation on the topic from RIM.

Based on the name alone, I infer that having it enabled routes mobile browser traffic through a standard web proxy (of my choice defined in the trusted server list below it).

If so, does that proxy come into place BEFORE my BES server comes into play? Or after?

For example, if mobile users are connecting from hand-held device >> AT&T >> BES... would enabling proxy TLS change the hand off to device >> AT&T >> BES >> Proxy ?

Likewise, what about if the user has wifi? Would the traversal then become Device >> Wifi >> Proxy >> BES?

Answer 1

This option controls whether encryption/decryption occur on BlackBerry Enterprise Server (BES) or the mobile device.

From John M. Wargo's BlackBerry® Development Fundamentals:

In an application opening a secure connection to a backend data source, a BlackBerry device can use Secure Sockets Layer (SSL) or the updated Transport Layer Security (TLS) to encrypt the data across the connection. Because TLS is merely an updated version of SSL, both are treated as one in this section. The BlackBerry platform supports these two options for SSL:

Proxy SSL Mode: The SSL connection is made between the MDS Connection Service (MDS-CS) and the backend data source. The data between the device and MDS-CS is still encrypted using Triple-DES or AES, but the data is converted to SSL before it’s placed on the internal network.

With this option, there is a brief moment in time where the data resides on the MDS server in an unencrypted state. This option is useful when you trust the integrity of the MDS server.

End-to-End SSL: The SSL connection is made from the BlackBerry device all the way through to the backend server with which the application is communicating. This option eliminates the period where the data is temporarily unencrypted during conversion performed by MDS-CS in Proxy SSL mode. Use this option when the only trusted entities in a transaction are the BlackBerry device application and the backend server to which the device is connecting.

Using this option places a greater load on the BlackBerry device and degrades the device’s performance and battery life.