jmoran wrote:
>
I've been thinking if some AJAX-authentication system is secure
No software is "secure" outside context. Security can only be
evaluated as a set of risks under a threat model.
In this case, your description is so vague (what's being
authenticated? what's AJAX being used to do? how does this "system"
work?) that we couldn't even imagine a plausible threat model, much
less its risks.
since Javascript is downloaded into the client machine...
If the security of your system depends on the integrity or secrecy of
code under the attacker's control, you already have an abysmally weak
system, unless you have an extremely generous threat model (eg, no one
will try to attack the system).
--
Michael Wojcik
Micro Focus
Rhetoric & Writing, Michigan State University