tags:

views:

113

answers:

3
+2  Q: 

Secure AJAX connection / null character SSL cert attack?

I came across aSSL, which appears to be a couple of years old and was wondering if anyone has other examples of "secure" AJAX connection code? Obviously, this wouldn't be as secure as using a SSL certificate, but with the null character SSL attack out there (recently demonstrated against PayPal), would it be worthwhile to revisit something like aSSL for sites that need to be "highly" secure such as online banking, etc? And, if so, what would be the best way to go about it?

+1  A: 

The only way of having a secure channel is by knowing for sure that the other party is who you think he is. This is where the PKI (Public Key Infrastructure) comes into play with SSL. Without a PKI, it is very hard to have "trust" and this is exactly what CAs (certification authorities) sell.

An example of a system without an explicit CA is PGP, however, the porblem is that it is hard to know if the person who claims to be person X having public key Kx is not in reality person Y having public key Ky.

So it's best to stick to default SSL instead of using some commercial/open source software that is made by semi-professionals.

Henri  2009-10-07 22:48:52
To make this answer explicit: At the beginning of the exchange, aSSL sends the server's public key to the client. This public keys is used to wrap a client generated AES symmetric key. To prevent the spoofing, the client must be able to validate that the public key is actually owned by the server and not by an attacker. PKI the best solution to this problem and works reasonably on the web. Use SSL, even for online banking. There are a lot of other security issues (e.g. XSS) that you should devote more attention to.
Chris Clark  2009-10-09 14:07:49
+1  A: 

To avoid any issues with the null character SSL flaw, online banks should use an EV SSL certificate because they are not affected. aSSL might be a good addition to an EV SSL certificate.

Robert  2009-10-08 14:27:45
+1  A: 

The opensource Forge project provides a JavaScript implementation of SSL (TLS) and has an XmlHttpRequest wrapper for using it in ajax calls.

http://github.com/digitalbazaar/forge

dlongley  2010-08-31 16:50:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security