I have a website hosted on a provider which doesn't give me with a fixed ip adress so I cannot use https. I would like to edit some page using a webform but in a secure fashion.
The client would be an iphone type device, so a java or flash applet would be out of the question.
The language on the server is currently php but it could be ruby, python , perl or lua.
I would say the answer is no. The reason being is that without https, all traffic is unencrypted plain text. Therefore, any encryption algorithm or key exchange on the client side would be readable by anyone. I could be wrong though...I've never tried it.
How would it be possible to use Javascript? In order for the browser to execute the javascript, it would have to first download it from the (previously stated) insecure server. HTTPS is a server/client protocol, so if you can't implement with the server itself, you won't be able to implement it at all.
All you need for HTTPS is a single IP address, so it wouldn't matter if it changed. You should be able to use HTTPS with a dynamic IP, but you might need to talk to your hoster. If your hosting is on a shared server, then it won't work and you'll need a dedicated IP. They aren't that expensive, so maybe you should just shell out the $3/4 a month?
Alex
In theory you could implement some sort of secure communication between the client and server using Javascript and XmlHttpRequests. In practice it sounds like a lot of work and the chances of it being fast and truely secure seem low.
As Alex says above though, even if you managed to implement in JS, you'd still have to serve the JS to the client over an insecure connection, therefore making it all fairly pointless.
Still, crazier things have been implemented in Javascript before...
Installing a SSL certificate doesn't technically require a fixed IP address - the SSL certificate is tied to the host name (common name). We have often changed IP addresses on our hosts and never changed anything related to the certificates.
That said, you could indeed use JavaScript or the like, but it's not really a nice solution - it'll always smell like a hack.
You could use some form of public key encryption implemented in javascript:
The would prevent anyone from sniffing your sensitive info on the wire, but doesn't provide any protection against a man-in-the-middle attack. SSL makes such an attack a little trickier to pull off, but not impossible.
It is theoretically possible, provided you can control the client and (for example) have trusted javascript there which is not downloaded from the server. I could elaborate but anything on these lines is a PITA and error prone compared to using https.
Also it should not be necessary to have a fixed IP - do you have a domain name?
Not in the traditional sense, no but there are a few options:
Get better hosting. You could have a VPS with a fixed IP for $20/month. Certificate for $30 a year. Fairly cheap for people that need the security.
You could encrypt the form data using javascript and PGP. This is cheap (and it'll look it to your users) but it should keep your data safe enough.
There might be third parties out there that allow for form submission through their servers (and by extension) their certificates. You and your users would have to trust them not to abuse the data though.
SSL operates off the domain name, not an IP address. As long as you have and own a domain name, and have a provider willing to open port 443 and install the certificate you purchase for your site, you can do HTTPS.
That being said, assuming you can't do it, look into SRP:
From the site:"SRP is a secure password-based authentication and key-exchange protocol. It solves the problem of authenticating clients to servers securely...In addition, SRP exchanges a cryptographically-strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely."
They have a Javascript examples. You'd use the byproduct to encrypt the data over the wire.
However, like most posters, you'd probably be better off moving to a new provider.
It's almost 2 years later, but there's an opensource SSL/TLS implementation in JavaScript now. However, it currently relies on Flash to provide raw socket access... so unless the application is going to run on an android phone rather than an iphone, it might not be all that helpful.