Best way of securing API calls with no SSL?

Question

We have over 100+ client sites that run on a common codebase and these are all unique domains. We'd like to introduce advanced features that leverage sensitive user information. This presents business issues:

1. Contact each client and mandate we need payment to secure a certificate for their domain
2. Eat the cost of all certificates and ones going forward
3. Eat the cost of current domains and raise future prices to cover each new certificate

Now, it's important to realize that nothing here is my call. I'm an engineer, not a high-level decision maker, so I'd like to assume the above 3 scenarios are no good (although I will present them).

Is there an authentication scheme I can leverage to secure sensitive APIs with no SSL, or am I out of luck?

One solution I've come up with is iframing a login page on our main site, which does have SSL, and listening for a callback of yay or nay. This was met with a lukewarm reception! So any non-iframe answers are most welcome!

Answer 1

Is there an authentication scheme I can leverage to secure sensitive APIs with no SSL, or am I out of luck?

Your out of luck, anything sent over the wire without SSL is effectively open to infiltration. You could make it really difficult for someone to actually be successful in mounting an attack with the information they extract, however, all in all this will probably come back and bite you.

Generally with an API the best approach is to implement some sort of token based authentication, however, without SSL (and unless you are physically authenticating & handing over those tokens) there has to be some sort of sensitive information sent across the wire and that's really where the problem lies.

Giving you already have an SSL cert for your site I don't really think you need client certs at all here (unless it's a business requirement). I see no reason why you couldn't make the private API calls accessible on HTTPS only and make users send authentication details along with each request.