How to accept authentication on a web API without SSL?

Question

I\'m building a web API very similar to what StackOverflow provide.

However in my case security is importance since data is private.

• I must use HTTP.

Answer 1

Short answer: if it's supposed to be usable through usual clients (browser requests/AJAX), you're screwed.

As long as you are using an unencrypted transport, an attacker could just remove any sort of in-page encryption code through a MITM attack. Even SSL doesn't provide perfect security - but plain HTTP would require some out-of-page specific extensions.

HTTP provides only transport - no secure identification, no secure authentication, and no secure authorization.

Example security hole - a simple HTTP page:

This may look secure, but it has a major flaw: you don't have any guarantee, at all, that you're actually loading the file superstrongencryption.js you're requesting. With plain HTTP, you'll send a request somewhere, and something comes back. There is no way to verify that it actually came from example.com, nor you have any way to verify that it is actually the right file (and not just function encryptEverything(){return true}).

That said, you could theoretically build something very much like SSL into your HTTP requests and responses: cryptographically encrypt and sign every request, same with every response. You'll need to write a special client (plus server-side code of course) for this though - it won't work with standard browsers.