Security Basics mailing list archives
Re: Is In-Browser Encryption Safe?
From: Alexander Klimov <alserkli () inbox ru>
Date: Fri, 14 Jan 2005 21:51:16 +0200 (IST)
On Tue, 11 Jan 2005, Robert Inder wrote:
The obvious approach is that we set up something on the server to forward orders to the client's behind-the-scenes email address. Unfortunately this involves the server handling "valuable" information (albeit probably only a single credit card number every few weeks!), and I'd like to avoid this if possible. So I am wondering whether I could use such a package to (conspicuously) encrypt the credit card number in the user's browser. If the server were unable to decrypt the card number, but simply forwarded it to the client, then we would be back to the situation where the server never has anything of value. Does anyone have any thoughts on this? Why have I never seen anybody using this approach?
So you propose to use JavaScript to encrypt users info with your clients pub key and the private key is not stored on the server. Let's check if it protects you from any server compromise: If an attacker has write access to your server he can change the javascript (*) of the page and some server-side scripts to gain all the information -- so you gain nothing. If an attacker has only read-only access (**) to your server then since no sensible info is ever stored on the server (messages in the mail queue should have encrypted data, of course) he can't gain anything in either case. Probably, the only advantage of your proposal is that sensible data will not be sent in clear from a user to server, but probably it is easier to use SSL for this (and as a major side-effect SSL will also trick "security-savvy" users to think that your site is secure) (*) well, it should be called client-side script, but you seems to use different meaning of word "client" (**) e.g., because you check files checksums and he has no hope to leave modifications undetected -- Regards, ASK
Current thread:
- Is In-Browser Encryption Safe? Robert Inder (Jan 11)
- Re: Is In-Browser Encryption Safe? James Eaton-Lee (Jan 12)
- Re: Is In-Browser Encryption Safe? Alexander Klimov (Jan 14)
- <Possible follow-ups>
- Re: Is In-Browser Encryption Safe? Ed Gorski (Jan 11)
- RE: Is In-Browser Encryption Safe? Robert Hines (Jan 12)
- RE: Is In-Browser Encryption Safe? Javier Otero De Alba (Jan 11)
- Re: Is In-Browser Encryption Safe? SERGIO OTERO (Jan 12)
- FW: Is In-Browser Encryption Safe? Security (Jan 14)