CODEWITHSUNDEEP
javascriptajaxhttphttps
Finnnn
Finnnn

Reputation: 3580

sending personal info over http in an ajax post. Is it secure? Why?

I'm doing some codeacadamy courses at the moment. It's a great service, highly recommended.

I've noticed they use some tracking. They use ajax posts to send user information to their tracking provider. http://track.segment.io/

It sends some json -

{"data":{},"newId":"[email protected]","api_key":"sfdsdkjf","user_id":"[email protected]","callbackId":111,"attributes":{"firstSeen":"2012-02-15T17:28:23.978Z","lastSeen":"2012-02-15T17:28:23.978Z","temp":false},"context":{"timestamp":"2012-02-15T17:28:23.979Z","visit":{"id":"asfsaasfsa","start":"2012-02-15T15:23:11.000Z","end":"2012-02-15T17:28:23.978Z"}}}

You'll notice that as I've not set my user name it uses my email as a reference to who I am. this seems like bad practice to me, but I'm unsure why.

My question is -

Should they be sending this info over https? I thought any personal info should always be sent over https, but I don't really understand why. Is there a security risk here?

Upvotes: 0

Views: 259

Answers (3)

Dan Kanze
Dan Kanze

Reputation: 18595

Yes and no. There are always the possibility of man in the middle attacks. But you have to ask yourself... Is my email and API key really so dangerous in the hands of another person? This really goes into risk assessment of a project and calculating risk managment.

If the company feels like disclosure of these credentials cant be used to escalate an attack, then that's why this information is less secured. However, if there is a possibility of escalation, you are never going to know unless you yourself try haha.

Upvotes: 1

Mike Christensen
Mike Christensen

Reputation: 91580

You are correct that sending HTTP POSTS with a JSON payload is not as secure as using HTTPS. However, this is no more or less secure than any other HTTP communication that contains your personal information.

For example, if your email address was in a table on a normal HTML page on the server:

<table>
   <tr><td>Email:</td><td>[email protected]</td></tr>
</table>

...then this would be just as much of a problem as the AJAX method.

It boils down to the requirements of the site. If you're doing something like online banking, HTTPS is a must. However, I doubt you have to worry about hackers intercepting HTTP traffic when you're using a site such as Code Aadamy, and HTTPS comes at a cost as well.

Upvotes: 0

Nitzan Tomer
Nitzan Tomer

Reputation: 164129

You're right, they should be sending personal info over https, since it is a secure connection which uses SSL. That means that who ever is on your network can not (or, well, it will be very hard for him) to get the data of your requests.

Without the use of SSL, anyone who is sharing your network can in fact see all of the data you are sending/receiving.

Unfortunately, there's no way to enforce that.

Upvotes: 1

Related Questions