308 Part II: Developing an Ajax Library^
md5 version of the password, future browser performed reauthentications will not know what
to do with the md5 value in the Authorization header and will throw up their standard
challenge again. Given that it is trivial to retrieve the credentials of an intercepted transmission
using basic authentication, and you can’t address this by doing our own password hash, it is
strongly recommended that if you are using this approach you do it over SSL.Ajax and SSL
If you have purchased anything online, you are undoubtedly aware of https connections
encrypted via SSL (Secure Socket Layer), as it is commonly known, or its new IETF
descendant, Transport Layer Security (TLS). This security mechanism can authenticate sites
and even users by means of the public key certificates and is used to significantly secure the
communications channel. This can be done smoothly and in the normal context of Web
applications. However, far too many sites opt to not use SSL because of the cost of
certificates coupled with the tremendous overhead that an SSL connection adds to an origin
server. If SSL connections are employed, they are often offloaded to other servers or
network appliances, or they are limited to certain sensitive portions of a transmission, such
as an initial login in a custom authentication scheme.
Not withstanding the various costs associated with SSL, can it work with Ajax? The
simple answer is yes; the more detailed answer is not optimally. The simple example at
http://ajaxref.com/ch7/ssl.html shows the small nuance to address. Given the same-origin
policy, you cannot make a call from a standard http URL to an https, nor could you do so
from https to http (see Figure 7-7). Unfortunately this requirement means you will need to
make all of your requests via SSL-images, CSS, and everything else. There is certainly
delivery overhead to this, as previously mentioned.
It would be desirable to have transmission encryption just for the Ajax payloads, but at
this point, it is required to implement such a framework in JavaScript directly. Given thatFIGURE 7-7 SSL and Ajax work together fi ne as long as same origin is respected.