Francesco Sullo (pictured) has created aSSL: AJAX Secure Service Layer, an open source library built to substitute the need for SSL in AJAX applications. aSSL is a library distributed under MIT License that implements a technology similar to SSL without HTTPS.

aSSL enables the client to negotiate a secret random 128-bit key with the server using the RC4 algorithm. Once a connection has been established, the data will be sent and received using BlockTEA algorithm (a derivation of DES). aSSL 1.0 uses a 64-bit key. Version 1.1 uses a 128-bit key with a technique similar to Double Key Triple DES, that Sullo calls Double Key Quadruple DES. This allows a level of security closer to AES encryption. In fact, aSSL is moving towards AES.

aSSL is an AJAX open source library built to send data safely over the Internet when SSL is not available, or not needed. aSSL is an tool for developers which includes both client and server-side code - just code, it has no user "on-screen" interface. The library can be easily integrated into an existing web application. The developer need simply use the built in methods to pass aSSL the data he wants to send to the server: the client-side code then encrypts it, sends it to the server-side code and returns the server response.

Features:

• aSSL uses a three key technique wherein both the client and server, each generate a random key in order to negotiate a third key that they will use for all future transactions. (http://assl.sullof.com/assl/howitworks.asp)

• aSSL automatically keeps the connection alive by renegotiating a new key with the server before the session expires - keys are never reused, but recreated randomly at every renegotiation.

• aSSL can handle multiple, simultaneous connections with one or more servers.

• What type of security aSSL can offer

• aSSL is a security tool and, when used correctly, is an excellent way to lock up data before sending and receiving it over the Internet. By nature, it is not subject to Cross Site Scripting attacks, also known as XSS, because it uses no cookies and does not accept user input directly. Code traveling over an aSSL connection is as secure as code traveling over an SSL connection. In fact, aSSL, uses a similar RC4 encryption algorithm as SSL, and only sends encrypted data.

Says Francesco Sullo, "[...] I think that a web site with aSSL is certainly more secure than a web site without. Like everything else, it needs to be used properly, and in the right places in order to work best. I think that sending login data via aSSL is a compromise between sending them in plain text via HTTP and send them encrypted via HTTPS. In other words the question is “what level of security do you need”? aSSL is composed from a file .js and a server component. Currently, the ASP and PHP components are ready. I'm developing Ruby and Java components and in the near future I will add components in all the principal web languages (Perl, Python, TKL, etc.)."