SSL + Jquery + Ajax

Question

Hi

I starting too look at a bit of security into my site. My site I would consider a very low security risk as it has really no personal information from the user other than email.

However the security risk will go up a bit as I am partnering with a company and the initial password for this companies users will be the same password they use essentially to get onto the network and every piece of software.

So I have up my security( what is fine by me...I wanted to get around to this anyways).

So one of my security concerns is this.

1. A user logs in.
2. form submit(non ajax is done).
3. Password is hashed & Salted and compared to one in the database.
4. Reject or let them proceed.

So this uses no jquery or ajax but is just asp.net mvc and C#. Still if my understanding is right the password is sent in clear text.

So if a use SSL and I would not need to worry about that is this correct?

If that is true is that all I need?

Second the user can change their password at anytime. This is done through ajax. So when the password is sent it is sent in clear text( and I can verify this by looking at firebug).

So if I have SSL enabled on this page is that all I need or do I need to do more?

So I am just kinda confused of what I need to make the password being sent to the server(both ajax and full post ways secure).

I am not sure if I need to do more then SSL or if that is enough and if it is not enough what is the next layer of security?

Answer 1

If you use HTTPS/SSL for your page, your AJAX requests will (by default) be handled the same way, so yes this would eliminate all the clear-text issues and you'll get all the security benefits of SSL with your AJAX requests as well.

I would say for most sites this provides a sufficient level of protection, as much as is sane anyway. Keep in mind that nothing is 100% secure (go to any mainstream conference, the security talks will scare you :), it may be 100% secure so far, but it rarely remains that way. That being said, SSL is the most effective security mechanism/deterrent readily available, and it's the best route to go.

Also, SSL is the cheapest in terms of development time, you may not need to change not one line of code in your app to get it working, just make sure to keep your certificates valid/up-to-date.

Answer 2

if you are using SSL your data sent accross the server is well taken care by SSL let it be a ajax hit or simple hit