views:

90

answers:

1

I am creating a web service for end users which will have a front-end in the form of an Adobe AIR desktop app but users will be able to access their data through the website too. User's data will be synchronized between the server and the local data store. The problem is that I cannot get an SSL certificate. Is there a way to make this more secure....

I think I can use something like two-legged oAuth or an Amazon S3 like authentication system?
What do you recommend in such a situation?

+3  A: 

The first question is: why can you not get an SSL certificate? I can think of two reasons:

  1. SSL certificates are too expensive
  2. You don't want to have a certificate issued by a third party

If your problem is #1, StartSSL provides free certificates with a 1-year validity or charges $50 for unlimited certificates valid for 2 years (including wildcards). They are recognized by both Mozilla and the Microsoft trust store.

If the issue is #2, why not issue a self-signed certificate and hard-code it into your application? That does not compromise the security of the system at all (only your particular cert will be accepted by the app), but eliminates the need to "get" an SSL certificate from somewhere else.

If you really really can't use SSL, look at challenge-response systems such as Kerberos or anonymous key-material generators like Diffie-Helman (with an asymmetric key for server identity validation). Many methods exist for secure two-party authentication over an insecure line. The key is that the ID verification step must be challenge-response instead of a "send me your secret" scheme.

Borealid
Even if the SSl certificate is free, I do not have access to a static IP.
Shubh
@Shubhkarman: Who told you that you need a static IP to use SSL? They're wrong. The problem with not having a static IP is the difficulty in making the connection between the client and the server at all. But you can manage with a dynamic DNS service.
Borealid
Some hosts require you to have a static IP because shared hosts use the same IP for everyone and you can't use the default port(443) on more than one site.
Inigoesdr