Wednesday, April 11, 2007

Re: Protecting a JavaScript Service

In How to Protect a JSON or Javascript Service, Joe Walker looks at a few solutions such as:

  1. Use a Secret in the Request
  2. Force pre-eval() Processing
  3. Force POST requests

The last time that I worked on an JSON-based web application, I did number 1, sort of. I basically implemented a simplified version of HTTP digest authentication in order to send a username and password to the server. In order to accomplish this, I used an nonce plus a JavaScript implementation of the SHA-1 hash function.

If I were to reimplement the user authentication portion today, I would probably use this "clipperz" library that I also found on Ajaxian. I'm amazed that someone has implemented AES in JavaScript. I would think that it would be difficult, although I haven't read the specification for it. Maybe one of these days I'll implement the Diffie-Hellman key exchange, if I get bored enough or I need it for something.

1 comment:

Francesco said...

I'm Francesco Sullo, co-founder of PassPack (, an online password manager and personal vault that, like Clipperz, uses the Host-Proof-Hosting pattern to manage user's encrypted data.

After having researched the tools and script available online, we adopted Chriss Veness's libraries. He implemeted a Javascript version of xxTEA ( and AES ( - both very easy to understand and to use.

You might find them very useful.