AJAX secure connection / SSL null character cert attack?

Question

AJAX secure connection / SSL null character cert attack?

I came across aSSL , which seems to be a couple of years old, and wondered if anyone has any other examples of "safe" AJAX connection code? Obviously this would not be as secure as using an SSL certificate, but with null character SSL (recently demonstrated against PayPal), it would be wise to revisit something like aSSL for sites that need to be "very" secure, such as like online banking, etc.? And if so, what would be the best way to do it?

+2

javascript security ajax ssl

user21293 07 oct. 09 at 21:03

source to share

3 answers

Henri · Answer 1 · 2009-10-07T22:48:52+0000

The only way to have a secure channel is to know for sure that the other party is who you think they are. This is where PKI (Public Key Infrastructure) comes into play with SSL. Without PKI, it is very difficult to have "trust" and this is exactly what CAs (CAs) sell.

An example of a system without an explicit CA is PGP, however the problem is that it is difficult to know if the person claiming to be person X with the public key Kx is not actually person Y with the public key Ky.

Therefore, it is better to stick with standard SSL instead of using any commercial / open source software that is produced by semi-professionals.

Robert · Answer 2 · 2009-10-08T14:27:45+0000

To avoid any problem with SSL invalid flaw , online banks should use EV SSL certificate because they are unaffected. aSSL can be a good addition to an EV SSL certificate.

dlongley · Answer 3 · 2010-08-31T16:50:16+0000

The open source Forge project provides an SSL SSL (TLS) implementation and has an XmlHttpRequest wrapper for use in ajax calls.

http://github.com/digitalbazaar/forge

AJAX secure connection / SSL null character cert attack?

More articles: