Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there a way to securely send information in Ajax?

Tags:

javascript

jquery

ajax

security

https

I'm currently developing an application in HTML+JS based almost entirely in ajax connections (using the jQuery.ajax() call to ease the process).

I was thinking about the best practice to make secure calls without using HTTPS (at least at this time. I can't afford paying for a certificate right now).

At this point, the only thing that concerns me is the registration and login steps. Maybe the login is a bit easier. I thought of sending the username and a timestamp, and then encrypt them using the user's password. So, by doing this, I wouldn't be sending any password (keeping as a secret like in OAuth). The server should check the user, decrypt using the password and pairing the recieved timestamp with the decrypted result. The server should keep the nonce-like number into a database (to avoid repetition attacks) and then give back to the user another unique id (encrypted with the user's password). At that point the user should start using that key to encrypt all his information (and probably another nonce) and send it to the server. Please correct me if you find any mistake or leak.

The very big problem to me is the registration. I can't encrypt with a regular password the information, because if I do that in the javascript, any could know the password. If I serve temporary generated passwords to encrypt and I send it from the server to the client, any sniffer could get it and use to decrypt the info.

I know HTTPS could save my life at this point (and maybe that's the only solution), but at this point I'm not able to use it.

Is there any other solution, or should I wait until I can use HTTPS? Bear in mind that if I could skip the wait, it would be better. Thanks mates!

like image 934
Sergi Juanola Avatar asked Jan 20 '23 22:01

Sergi Juanola

2 Answers

Short answer: You can't do it without HTTPS

Longer answer: If you try to do it without HTTPS, you will find yourself trying to reproduce everything that HTTPS was designed to do. You could reach at some point, but it is unrealistic to believe that you will succeed in implementing even the 1% that HTTPS offers. The only benefit you will have would be an obscure security mechanism (security through obscurity), which may be OK for not critical systems, but would fail miserably in a real critical situation.

You could create your own certificate you know and then work with Ajax the same way as with regular HTTP calls. The only drawback is that the users will get a warning message.

like image 143
kgiannakakis Avatar answered Jan 28 '23 05:01

kgiannakakis

Using an SSL Certificate is the only way really, if you encrypt it in javascript anyone can read the code and decrypt it.

http://www.startssl.com/

like image 33
Joshwaa Avatar answered Jan 28 '23 06:01

Joshwaa
Sign in to Comment

Related questions

How to sort two arrays with the same random sort
Letting User Draw On a Google Map?
Is it possible to download file from FTP using Javascript?
Give shadow effect using jQuery
Preload external website content, then redirect
is <script><!--//--></script> useful anymore
C# + IE9 JS Engine Chakra?
Colorbox: Calling colorbox.close
How to maintain cache for Java/J2EE web application?
international Count sms characters
DateTime JavaScript vs C#
What can I use Backbone JS's Models for exactly? Is this too far?
Feasibility of MMO 3D game on HTML5/WebGL [closed]
How do you open a new tab in chrome using HTML/JS?
How do I use Lawnchair with more than one table?
Calling a JavaScript function
Lightbox using tags or <a href=[base64]>
c# code to validate organisation/company number?
Converting Characters to ASCII in JavaScript
Unwanted recursion - how to avoid child click event from passing to parent in jquery?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!