Security Basics mailing list archives
RE: Is In-Browser Encryption Safe?
From: "Robert Hines" <b.hines () comcast net>
Date: Wed, 12 Jan 2005 08:44:16 -0500
A key system, with or without encryption give your organization a level of security that (in my mind) greatly surpass any demac-to-demarc service agreement solution implemented. A user-to-user policy, such as agreed keyshare or passphrase is superior when it comes to the overall triple 'A's" or shared data security for that matter. Bob -----Original Message----- From: Ed Gorski [mailto:Ed.Gorski () ci tampa fl us] Sent: Tuesday, January 11, 2005 1:31 PM To: robert () interactive co uk; security-basics () securityfocus com Subject: Re: Is In-Browser Encryption Safe? Unless you are encrypting the e-mail itself (via PGP Keys or otherwise) then sending the order information via e-mail is just as insecure..... -------------------------------------------------------- Edmund Gorski Application Systems Analyst Strategic Planning & ITS City of Tampa e: Ed.Gorski () tampagov net p: 813-274-8488 --------------------------------------------------------
Robert Inder <robert () interactive co uk> 1/11/2005 7:44:20 AM >>>
One of our clients has asked us to add an ordering facility to a web site, and I'm wondering about using in-browser encryption to protect the credit card number. Here's the situation. The ordering facility will, I believe, be almost impossible to use until we add a sane product selection system (at which point we/they will probably be signing up with a third party payment processing service). But there is political pressure to have an ordering facility as soon as possible, and we've been asked to provide an on-line order form, with the orders coming to them by email. Given the likely usage, having orders reach the client as email makes sense. The obvious approach is that we set up something on the server to forward orders to the client's behind-the-scenes email address. Unfortunately this involves the server handling "valuable" information (albeit probably only a single credit card number every few weeks!), and I'd like to avoid this if possible. Now, I have noticed implementations of public-key encryption in Javascript. For instance the RSA algorithm at http://www.ohdave.com/rsa/ So I am wondering whether I could use such a package to (conspicuously) encrypt the credit card number in the user's browser. If the server were unable to decrypt the card number, but simply forwarded it to the client, then we would be back to the situation where the server never has anything of value. Does anyone have any thoughts on this? Why have I never seen anybody using this approach? Robert. -- Robert Inder Interactive Information, 07770 30 40 52 (general) 07808 492 213 3, Lauriston Gardens, 0131 229 1052 (fax) Edinburgh EH3 9HH SCOTLAND UK Interactions speak louder than words
Current thread:
- Is In-Browser Encryption Safe? Robert Inder (Jan 11)
- Re: Is In-Browser Encryption Safe? James Eaton-Lee (Jan 12)
- Re: Is In-Browser Encryption Safe? Alexander Klimov (Jan 14)
- <Possible follow-ups>
- Re: Is In-Browser Encryption Safe? Ed Gorski (Jan 11)
- RE: Is In-Browser Encryption Safe? Robert Hines (Jan 12)
- RE: Is In-Browser Encryption Safe? Javier Otero De Alba (Jan 11)
- Re: Is In-Browser Encryption Safe? SERGIO OTERO (Jan 12)
- FW: Is In-Browser Encryption Safe? Security (Jan 14)