Re: Is In-Browser Encryption Safe?

[James Eaton-Lee <james.mailing () gmail com>]

If I'm reading you correctly, you're basically wanting to implement
something on the client side to send encrypted data over http - I'm not
sure of the specifics of exactly what you're trying to do, but it would
almost certainly be simpler to use https - then you don't have to worry
about any special coding, all the configuration is done on the webserver
itself, and you have data encrypted in transit to a standard which is
not only commercially understood (it is, after all, intended for doing
things exactly like this!), but consumers also know and (to some extent)
understand. 

As a side issue (actually, this is what I'd be pointing out if I were in
a situation were political pressure were affecting a deployment of
something like this) you may find that many users (particularly those
who're less than computer literate) won't use anything that 'doesn't
have the little padlock' which they're used to seeing on 'secure'
websites.

Back to the problem in hand, I believe that there are several methods of
encrypting data in-browser; it would be my guess that you could do it
most reliably in java, as you have most control of the environment your
encryption is being done in; this will also probably be the most
browser/platform-neutral way of doing things other than ssl - but your
experiences may differ. 

I've had a quick google around and there seem to be a few
commercial/free java applets which do similar things. If you wanted to
use a java applet, you could probably encrypt data internally and then
send a regular e-mail with encrypted data inside it to the client, but
it could get fairly messy

If you do this via ssl, then you avoid the e-mail mess in the first
place - you can very simply knock something up which allows your / their
staff to access details online in any web technology (asp, php, perl,
python). The other thing which I'd add is that any method other than
client/server ssl encryption and doing this in java may be unreliable
and break in anything other than the browser you tested it in. Not fun
if you need an element of accountability!

If it's an issue of compromising security and bowing to political
pressure or doing the job properly, I'm no stranger to the issue you're
facing! What you need to communicate is *why* these things are important
to do properly (risk management, business reputation, actually getting
people to use your service).

If you need help with the issue and you're hiring, I'm based in Fife :-p

 - James Eaton-Lee

On Tue, 2005-01-11 at 12:44 +0000, Robert Inder wrote:
> One of our clients has asked us to add an ordering facility to a web
> site, and I'm wondering about using in-browser encryption to
> protect the credit card number.
>
> Here's the situation.
>
> The ordering facility will, I believe, be almost impossible to use
> until we add a sane product selection system (at which point we/they
> will probably be signing up with a third party payment processing service).
>
> But there is political pressure to have an ordering facility as soon
> as possible, and we've been asked to provide an on-line order form,
> with the orders coming to them by email.  Given the likely usage,
> having orders reach the client as email makes sense.
>
> The obvious approach is that we set up something on the server to
> forward orders to the client's behind-the-scenes email address.
>
> Unfortunately this involves the server handling "valuable" information
> (albeit probably only a single credit card number every few weeks!), and
> I'd like to avoid this if possible.
>
> Now, I have noticed implementations of public-key encryption 
> in Javascript.  For instance the RSA algorithm at http://www.ohdave.com/rsa/
>
> So I am wondering whether I could use such a package to
> (conspicuously) encrypt the credit card number in the user's browser.
>
> If the server were unable to decrypt the card number, but simply
> forwarded it to the client, then we would be back to the situation
> where the server never has anything of value.
>
> Does anyone have any thoughts on this?  
>
> Why have I never seen anybody using this approach?
>
> Robert.
>
> --
> Robert Inder      Interactive Information,            07770 30 40 52 (general)
> 07808 492 213     3, Lauriston Gardens,                    0131 229 1052 (fax)
>                   Edinburgh EH3 9HH
>                   SCOTLAND UK             Interactions speak louder than words