Secure Ajax Layer

In an effort to provide a safe and secure environment for Rich Internet Application development, with minimal fuss, we have developed the Secure Ajax Layer library. This library uses the latest encryption methods such as AES and RSA to keep your communications private, and keep your Ajax application servers secure from hacking attempts. It does this with a protocol that ensures encryption keys and program code are delivered to the web client without exposing shared secrets and protecting the keys and code from modification and from prying eyes.


It does this WITHOUT the need for SSL or HTTPS, which have been under increasing attack in recent months, and are notoriously expensive and difficult to set up.


Why do you need this?

  • HTTPS servers can be costly, and not all hosting providers can give it to you.
  • Properly generated and authenticated certificates are very costly and must be renewed regularly.
  • HTTPS and SSL have been under increasing attack, and there have been reports of many successful attacks! For details, see the references below.
  • Your browser's XMLHTTPRequestObject, the object that enables AJAX, can be compromised outside of your web application, and can funnel data to other destinations EVEN IF YOU USE SSL AND HTTPS.
  • Even with HTTPS, attackers can still probe your webservices for vulnerabilities. SSL proves your servers identity, not the clients.
  • This library by default counters these issues, and with additional safe practices, can overcome all of them.

Features:

  • Uses AES-256 for communications, with 128 bit RSA signatures.
  • Encryption keys are randomly generated per session, and can be renegotiated as needed.
  • Distribution of encryption keys and client-side code is performed with a proprietary process that is immune to man-in-the-middle attacks.
  • Shared secrets DO NOT pass through the communications channel.
  • Does NOT use SSL or third party certificates.
  • Written entirely in PHP on the server and JavaScript on the client.
  • Provides authentication of the user, and the server.
  • Secures your transaction data.
  • Secures your web application on the server from prying.
  • Secures your client from man-in-the-middle attacks on JavaScript code loading.
  • Can also securely transfer stylesheets, images, and whole HTML pages.
  • Cheap, effective, and simple to use!

What it does for you:

The Secure Ajax Library is comprised of 3 PHP webservices, a JavaScript, and a PHP server template that can be used as the model for your secure web services. These scripts together implement the Secure Ajax Layer protocol.

The Secure Ajax Layer can transmit XML, JSON, JavaScript, stylesheets, HTML documents, and plain text back and forth between the client and the server. On web clients that implement data URLs, even images can be securely transferred. All messages to and from the server are encrypted and signed, and properly validated messages are read and interpreted by the server, ensuring that nobody can call your APIs without being authenticated and authorized by the Secure Ajax Layer. Additionally, only properly encrypted and signed messages are interpreted by the client, protecting your client from data, pages, and scripts being modified in transit.

Using our Safe Programming Practices, we can ensure that your web application can be made at least as secure as HTTPS, with much less cost and fuss, and used in conjunction with HTTPS pages, your web application can be made much more secure than HTTPS alone.

There is a free PHP version of SecureAjax, as well as a commercial version that exists as a compiled PHP extension.
The free version is hosted here at GitHub, which we will try to support via email as best we can. If you are interested in licensing commercial version of the Secure Ajax Layer libaray, please send us an email and we would be glad to help!


References:


For More Information:

For more information, email us at info@nearlyperfectsoftware.com or use our feedback form .