I have a regular website with no login process. There was never anything on it that needed to be private so I'm using http. However I recently added an "E-mail Me" form, and some people might include sensitive information emailing me.
If the data is sent to my server with an Ajax $.post, can the data be read by someone watching the network traffic?
If so, Is there anyway I can secure it without switching to https?
OK: So def Yes to no 1.
For everyone that said no, why can't I use my own public-key/private-key for this?
If the data is sent to my server with an Ajax $.post, can the data be read by someone watching the network traffic?
Yes, for sure
If so, Is there anyway I can secure it without switching to https?
No, not really/practically.
You will need to use https, there is no other way to truly secure the information
The short answer is NO.
The long answer is that if you use js, the person monitoring the traffic will be able to know how you encode the data and easily decode it. If you use server side language (C# for example), the data will be transmitted as plain text to the server so the person monitoring the traffic will be able to read it clearly.
The only way is that you use a secure connection (HTTPS)
Related
I'd like to grab a client IP address using javascript and send it over to my server using AJAX request. Any suggestions on how I can achieve this would be awesome. Some code example would be even better.
Thanks in advance!
Front-end Javascript by itself doesn't have access to anything that will tell it a user's IP address. See here:
How to get client's IP address using JavaScript?
However, like it says in that answer, there are APIs you can use to get the IP address.
More importantly, though, any server receiving your AJAX request will have automatic access to the IP address. So if you can set up code on the server you should be good to go, or at least will have a different question.
If you don't have control over the server, and instead are doing something like POSTing data to a webforms API, then using an API is your best bet.
Client-side JavaScript has no access to the network addresses. What you're specifically asking for isn't possible.
You can determine the closest routable address for the client server-side, but this could always be an upstream proxy or NAT router.
Based on this ,Instagram provide to access GET-based endpoints using JSONP which i know it include access token when making a request. We can load user photo just using client side using JSONP. I interest to using this method because it faster than load photos using server side.
Is it safe to include access token or URL that include access token in client side? if not, how to secure it?
No it is not secure.
If you don't need to make too many requests, you should use your CLIENT-ID on the server-side, which gives you a limited quota (5000 requests per hour per application).
You should use your ACCESS-TOKEN on the server-side, and not on the client-side because anyone can see it. This will allow you to have a higher quota. (5000 requests per hour per token)
Anything loaded to the client is unsecure and should not be count on to work properly. If someone experienced wants to get something from its content or change something on its way of working, he can no matter what you try. So in that regard no, it is not safe including access tokens.
It then boils down to: how much you care someone getting his hands on it?
They only possible answer to this, which will not work really, just make things harder to an 'attacker', is code obfuscation
I would like to encrypt ajax post and get request with javascript.
The flow should be -
Server generated private and public key on request
Server sends the public key to client
Client encrypts the data with public key
Sever decrypts the data with the private key
I know SSL is an option, but my application is a small plugin which can be installed on any website that allows a user to purchase products on that website. Is there a way i can encrypt all the data at front end and decrypt at back end.
Thanks in advance!
Generally speaking, in browser cryptography can be considered a bad idea. Sending the data over ssl-tls would likely be much more secure than a home-brewed crypto solution, like you seem to be suggesting. This can be considered especially bad when transmitting data like credit card info, as it appears you will be.
http allows for extremely easy man in the middle attacks to eavesdrop on any data being sent either way, so there would almost certainly be no secure way to transmit the keys in the first place, let alone the secure information.
If you really really want to go this route, then have a look at crypto-js.
This is not a good idea, and you should use SSL. Probably hence the downvotes.
Considering your use case, the best way to do this would probably be to host your own central service with SSL enabled, and route all ajax requests to your service, not theirs. Their servers could then poll your server using your SSL certificate, to view any relevant information. So you would be acting as some sort of centralised API, with both the clients and businesses connecting. You still need to consider however, that any information sent in the clear, ie over http, not https, can be tampered with before it reaches the user.
As far as I am aware, no, you cannot generate SSL certificates on the fly.
I am planning a Cordova mobile application (a Meteor.js app to be precise) and I need to POST/GET some sensitive data from a remote server securely.
When the request is pointed at https endpoint is it secure? My guess is that it does not work this way.
Just to say - I have read some SO questions and searched google but most of them refer to CORS problems, which I am not facing.
Thanks for any help.
Yes and no
Sending data to a https server is secure?
Yes if you are sure that you are sending the data to your server
But, you might be connected to a public wifi, and somebody could be doing a man in the middle attack, so you think that you are sending your data to your sever, but the hacker is getting the data instead.
To avoid this, you can do server certificate pinning, there are a few plugins available, so you make sure the server where you are sending the data is really yours (comparing certificate fingerprint or checking some of the values)
https://github.com/EddyVerbruggen/SSLCertificateChecker-PhoneGap-Plugin
It depends on what you need. Https (TLS) will provide your mobile users with the certainty that they are communicating with the server that is identified by the certificate. It will also encrypt the communication between the server and the mobile application so no one can listen in.
It won't authenticate your users and allow you to serve certain data to specific users only. You'd need some kind of authentication scheme for that.
It won't protect you from XSS, CSRF, SQL injection or other attacks either. So it very much depends on what your requirements are, but https by itself is not enough to protect a website.
I'm doing some codeacadamy courses at the moment. It's a great service, highly recommended.
I've noticed they use some tracking. They use ajax posts to send user information to their tracking provider.
http://track.segment.io/
It sends some json -
{"data":{},"newId":"myemail.emailn#gmail.com","api_key":"sfdsdkjf","user_id":"myemail.email#gmail.com","callbackId":111,"attributes":{"firstSeen":"2012-02-15T17:28:23.978Z","lastSeen":"2012-02-15T17:28:23.978Z","temp":false},"context":{"timestamp":"2012-02-15T17:28:23.979Z","visit":{"id":"asfsaasfsa","start":"2012-02-15T15:23:11.000Z","end":"2012-02-15T17:28:23.978Z"}}}
You'll notice that as I've not set my user name it uses my email as a reference to who I am. this seems like bad practice to me, but I'm unsure why.
My question is -
Should they be sending this info over https? I thought any personal info should always be sent over https, but I don't really understand why. Is there a security risk here?
You're right, they should be sending personal info over https, since it is a secure connection which uses SSL.
That means that who ever is on your network can not (or, well, it will be very hard for him) to get the data of your requests.
Without the use of SSL, anyone who is sharing your network can in fact see all of the data you are sending/receiving.
Unfortunately, there's no way to enforce that.
Yes and no. There are always the possibility of man in the middle attacks. But you have to ask yourself... Is my email and API key really so dangerous in the hands of another person? This really goes into risk assessment of a project and calculating risk managment.
If the company feels like disclosure of these credentials cant be used to escalate an attack, then that's why this information is less secured. However, if there is a possibility of escalation, you are never going to know unless you yourself try haha.
You are correct that sending HTTP POSTS with a JSON payload is not as secure as using HTTPS. However, this is no more or less secure than any other HTTP communication that contains your personal information.
For example, if your email address was in a table on a normal HTML page on the server:
<table>
<tr><td>Email:</td><td>myemail.emailn#gmail.com</td></tr>
</table>
...then this would be just as much of a problem as the AJAX method.
It boils down to the requirements of the site. If you're doing something like online banking, HTTPS is a must. However, I doubt you have to worry about hackers intercepting HTTP traffic when you're using a site such as Code Aadamy, and HTTPS comes at a cost as well.