I have a website hosted on a provider which doesn't give me with a fixed ip adress so I cannot use https. I would like to edit some page using a webform but in a secure fashion.
The client would be an iphone type device, so a java or flash applet would be out of the question.
- Is there a way to still have a secure connection between the server and the browser using only javascript in the browser ?
The language on the server is currently php but it could be ruby, python , perl or lua.
I have a website hosted on a provider which doesn't give me with a fixed ip adress so I cannot use https. I would like to edit some page using a webform but in a secure fashion.
The client would be an iphone type device, so a java or flash applet would be out of the question.
- Is there a way to still have a secure connection between the server and the browser using only javascript in the browser ?
The language on the server is currently php but it could be ruby, python , perl or lua.
Share Improve this question asked Feb 5, 2009 at 14:31 community wikinico_h 1
- I don't think having a fixed address has anything to do with having https available ... AFAIK all you need is for the provider to provide a SSL Cert and listen on port 443 – matt b Commented Feb 5, 2009 at 14:34
10 Answers
Reset to default 12Installing a SSL certificate doesn't technically require a fixed IP address - the SSL certificate is tied to the host name (common name). We have often changed IP addresses on our hosts and never changed anything related to the certificates.
That said, you could indeed use JavaScript or the like, but it's not really a nice solution - it'll always smell like a hack.
You could use some form of public key encryption implemented in javascript:
- You give client side the form, your public key, and a js encryption library
- On submission, js kicks in an encrypts the form payload
- You decrypt with your private key
The would prevent anyone from sniffing your sensitive info on the wire, but doesn't provide any protection against a man-in-the-middle attack. SSL makes such an attack a little trickier to pull off, but not impossible.
Not in the traditional sense, no but there are a few options:
Get better hosting. You could have a VPS with a fixed IP for $20/month. Certificate for $30 a year. Fairly cheap for people that need the security.
You could encrypt the form data using javascript and PGP. This is cheap (and it'll look it to your users) but it should keep your data safe enough.
There might be third parties out there that allow for form submission through their servers (and by extension) their certificates. You and your users would have to trust them not to abuse the data though.
In theory you could implement some sort of secure communication between the client and server using Javascript and XmlHttpRequests. In practice it sounds like a lot of work and the chances of it being fast and truely secure seem low.
As Alex says above though, even if you managed to implement in JS, you'd still have to serve the JS to the client over an insecure connection, therefore making it all fairly pointless.
Still, crazier things have been implemented in Javascript before...
I would say the answer is no. The reason being is that without https, all traffic is unencrypted plain text. Therefore, any encryption algorithm or key exchange on the client side would be readable by anyone. I could be wrong though...I've never tried it.
It is theoretically possible, provided you can control the client and (for example) have trusted javascript there which is not downloaded from the server. I could elaborate but anything on these lines is a PITA and error prone compared to using https.
Also it should not be necessary to have a fixed IP - do you have a domain name?
How would it be possible to use Javascript? In order for the browser to execute the javascript, it would have to first download it from the (previously stated) insecure server. HTTPS is a server/client protocol, so if you can't implement with the server itself, you won't be able to implement it at all.
All you need for HTTPS is a single IP address, so it wouldn't matter if it changed. You should be able to use HTTPS with a dynamic IP, but you might need to talk to your hoster. If your hosting is on a shared server, then it won't work and you'll need a dedicated IP. They aren't that expensive, so maybe you should just shell out the $3/4 a month?
Alex
SSL operates off the domain name, not an IP address. As long as you have and own a domain name, and have a provider willing to open port 443 and install the certificate you purchase for your site, you can do HTTPS.
That being said, assuming you can't do it, look into SRP:
From the site:"SRP is a secure password-based authentication and key-exchange protocol. It solves the problem of authenticating clients to servers securely...In addition, SRP exchanges a cryptographically-strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely."
They have a Javascript examples. You'd use the byproduct to encrypt the data over the wire.
However, like most posters, you'd probably be better off moving to a new provider.
It's almost 2 years later, but there's an opensource SSL/TLS implementation in JavaScript now. However, it currently relies on Flash to provide raw socket access... so unless the application is going to run on an android phone rather than an iphone, it might not be all that helpful.
http://github.com/digitalbazaar/forge/blob/master/README
Yes. You can use an embedded form, using PGP encryption, from Private Forms.
Private Forms is SaaS that encrypts web form data client-side before sending the data to the server. Then, this encrypted data is sent to the you. All data is encrypted using your PGP public key, which only you can decrypt using your PGP private key.
So, the person filling out the forms knows it's "secure", but they don't need to be familiar with the details (like generating keys, etc).