I recently spoke with an individual who was very upset that his password had been sniffed because he was using a web application that didn't offer a secure connection via HTTPS. I began to think about how the developer of that web app must have felt: either waste money on an SSL certificate for this dumb site (which doesn't even store any personal data) or incur the wrath of angry customers whose passwords get sniffed by pranksters.
During the conversation with this angry individual, I zoned out and decided to think about how I would approach this problem as a developer. Certainly, not all sites need secure access via HTTPS, but wouldn't it be nice for small sites to have encrypted form submissions and AJAX calls?
After some thought and some Googling, I did bit of work on this issue for fun. I have affectionately named the fruits of my efforts RSAJAX.
I'm a big fan of getting to the fun part. Here's a demo.
I am using several open-source libraries here. Proper attribution will appear in a more-descriptive write-up I will be doing tonight. I literally just finished it up five minutes ago, so I'll probably be cleaning and tweaking it too.
Update: A web page is now available that gives more information on RSAJAX. Check it: http://www.andrewpeace.com/rsajax/
The process here is actually very basic, even for somebody like me who isn't into crypto. All you need to understand are the basics of public-key encryption (specifically, RSA) and private-key encryption (specifically, RC4). Just Google it...
The server generates a private and public RSA key, the latter of which is shared with the client-side via a regular AJAX call. The JavaScript then generates an RC4 encryption key, which is a simple matter of generating a random 256-character-long string. JavaScript then encrypts its RC4 key with the server's public RSA key, and sends it to the server, where it is decrypted with the private RSA key and stored.
From that point on, making a secure AJAX call is simple. First, JavaScript encrypts any values being sent to the server using the public RSA key. Once the server receives an encrypted value, it decrypts it with its private key. This is exactly the same thing that happened when the client's RC4 key was shared with the server.
When the server is ready to respond, it encrypts its response via RC4 using the client's key, which it has stored. Upon receiving the AJAX response, the JavaScript can then decrypt that value using its RC4 key.
Shazam! Encrypted on the way up, encrypted on the way down.
If you are wondering why this process involves both RSA and RC4 encryption, there are good reasons for it. I'll get in to those when I do my next write-up. Anyways, I may swap out RC4 for something a bit stronger.
No comments:
Post a Comment