Geek Answers Handbook

Is there a way to securely send information to Ajax?

I am currently developing an application in HTML + JS based almost entirely on ajax connections (using jQuery.ajax() call to make the process easier).

I was thinking of best practices for making secure calls without using HTTPS (at least for the time being. I cannot afford to pay for a certificate right now).

At this moment, the only thing that concerns me is the steps of registering and entering the system. Maybe login is a little easier. I thought about sending the username and timestamp, and then encrypt them using the user password. . That way, I would not send any passwords (keeping secret as in OAuth). The server must verify the user, decrypt with a password, and pair the received timestamp with the decrypted result. The server must store the inconsistent number in the database (to avoid repeated attacks), and then return another unique identifier to the user (encrypted using the user's password). At this point, the user should start using this key to encrypt all of his information (and possibly another version of nonce) and send it to the server. Please correct me if you find any error or leak.

The biggest problem for me is registration. I cannot encrypt information using a regular password, because if I do this in javascript, anyone can find out the password. If I serve temporary generated passwords for encryption, and I send them from the server to the client, any sniffer can get it and use it to decrypt the information.

I know that HTTPS can save my life at this stage (and maybe this is the only solution), but at the moment I can not use it.

Is there any other solution, or should I wait until I can use HTTPS? Keep in mind that if I could miss the wait, it would be better. Thank you comrades!

+4
source share
4 answers

Short answer: you cannot do this without HTTPS

Longer answer: if you try to do this without HTTPS, you will find that you are trying to reproduce everything that was developed by HTTPS. At some point you could achieve, but it is unrealistic to believe that you will be able to realize even 1% of what HTTPS offers. The only advantage you will have is an obscure security mechanism (security through obscurity), which may be OK for non-critical systems, but fail in a real critical situation.

You can create your own certificate that you know, and then work with Ajax in the same way as with normal HTTP calls. The only drawback is that users will receive a warning message.

+4
source

Using an SSL certificate is the only way, indeed, if you encrypt it in javascript, everyone can read the code and decrypt it.

http://www.startssl.com/

+3
source
  • Create a public / private key pair on the server along with a randomly generated salt.
  • Attach a key pair and salt to the user session object.
  • Send the public key and salt to the client code.
  • Use the public key and salt to encrypt AJAX requests.

This will not be a trivial task. You will probably find it cheaper and more efficient to buy a certificate.

EDIT: This also means that all regular HTTP traffic (HTML, images, CSS, etc.) is sent to clarity. This can be a problem, as it can allow the listener to indirectly figure out what the user is doing.

+2
source

I think you should take a look at:

http://assl.sullof.com/assl/

Here is the project description:

aSSL is a MIT licensed library that implements a technology similar to SSL without HTTPS.

aSSL allows the client to negotiate a secret random 128-bit key with the server using the RSA algorithm. Once the connection is established, data will be sent and received using the AES algorithm.

aSSL consists of some Javascript files and a server-side component. Since I recently changed the negotiation algorithm from RC4 to RSA, only the pure Javascript component (ASP) is currently available. I will do porting for major web languages ​​(PHP, Java, Perl, Python, TKL, etc.) as soon as possible, once the library goes through the beta phase.

0
source

More articles:


All Articles