Preventing Man-in-the-middle attacks on non-HTTPS

Question

Is there any way to prevent or detect a man-in-the-middle attack over plain HTTP?

I want to run a javascript applet on a client machine with confidence that the code wasn't modified. Are there any clever tricks to sign the code or deliver it safely without going the usual route of HTTPS and a certificate?

Answer 1

No, not really. By the time you make it secure, you'll have had to reinvent at least 90% of HTTPS (or something very similar, anyway) -- but probably have done an inferior job of it. No insult intended, but very few people are capable of designing something like this adequately. The usual is for a specialist (or a few of them) to design it as well as they can, and still plan on having to fix at least a few problems over the next few years as more cryptanalysts look at it. Chances of a non-specialist getting it right the first time are right up there with those of winning a major lottery and being hit by lightning at exactly the same moment.

Answer 2

In one form or another, public key cryptography would be involved, I believe. You could probably implement it yourself, but it would probably be insecure and difficult. Why do you want to not use HTTPS? It exists for this purpose.

Answer 3

If it's javascript, then you can't even confirm that the person on the client machine hasn't modified your applet whether you use SSL or not.

Answer 4

If they can modify the javascript, then they can remove any checksumming or similar that you put in. Your best bet is to use a javascript obfuscator / minimizer, as that will just make it hard as all hell to change and still run. Yahoo has a good one I believe, as does Google.

This isn't fool-proof but it's probably going to weed out almost everybody considering tampering with your applet. Head over to maps.google.com and have a look at their javascript. Think about sneakily modifying something about it. Probably not gonna happen.

EDIT: this might not be so good after all, see links below