Google Chart’s Resolution

Posted by: Josh Walsh in Code.

A few days ago I posted my frustrations with Google’s charting API security. While I still believe there are some issues that would plague banks, government and other institutions that have highly sensitive data, I have found a solution to our problem.

Problem 1: Query Parameters

The first issue we had was that the data had to be passed through query parameters, or through a GET request. Both of which are insecure. The simple solution to this problem is to avoid passing sensitive data altogether. While someone could potentially snipe the URL and read the sales trends line graph, the information is meaningless without knowing who the associated account is.

Problem 2: SSL Connections

Our applications all run on secured https environments. This means I cannot securely link to the Google chart image directly, since they (rightfully) do not accept https connections.

The simple solution is to suck the data in through a server side language (PHP and Sandstone, in our case) and then output it within our own secured environment.

Conclusion

As my wife will tell you, I’m wrong about many things. This last post was one instance. As I investigated deeper into this problem it became evident that anyone with very sensitive data would not accept a hosted solution of any kind, so Google has made the right choice to err in favor of the simple interface for the people who will be using it.