Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: phranque
I'd like there to be security options. Especially options that don't cost us effort.
One idea is that the client encrypts and decrypts the content (which is very simple markup) on the browser.
Anyone know of techniques to achieve this?
Know where I can find out more?
I'm not clear on your application. When the client enters the data in the browser, should it be encrypted as he types it?
Or, do you want the data to travel across the internet encrypted?
Or should it be stored in an encrypted fashion on the database?
For that to happen encryption and decryption happen on the browser.
The design in my head is that he sees the cleartext in his browser but sends cyphertext over the wire.
Only the user can see the content, not me, not the communication channel, not anyone looking into the database...
No leaks possible except at the browser, but the information is stored elsewhere.
It's entirely the user's responsibility, if he looses the decryption key/s he's finished.
Register the users in the database with an encrypted password as well.
Then, the person logs on, provides the proper password and only he can read the data as it comes through the encryption filter.
Encryption in the database doesn't satisfy this need (I'm considering using my own layer of encryption within the database but that's a separate issue).
Technically I have the key and the cyphertext so I could decode the content. I don't want to be able to do that.
Even if an asymmetric technique is used I still need the content encrypted on the browser. That way no clear text on the wire at all.
Basically this is about what I'd like to have myself for completely private content. I'd like to offer something that bulletproof to users. Eventually this will be feasible, I'm hoping it is also sensible to do it now. I know a lot of users won't be able to understand it yet but they're not the target audience!
Seeems the most obvious and fullfills all your needs:
- Content is ever only decrypted at the client.
- Only use knows password
- Password NEVER travels to server
- Does not use any extra server resources
- if user looses password, data becomes unrecoverable except by brute force, depending on algorithm.
Negatives: Mostly to do with the cache, but since the results of JS executions don't really enter the cache, that shouldn't be a problem. i.e. The algorithm is puplic anyways, but useless without the cipher key.
Issue there include:
I guess the reason I wasn't aware of a browser hosted technology (like that available in email clients) is that it's not there. Pity.
I'll decide by 15 November whether this goes on ice.
Thanks again for all the input to this query.
Anyone know anything about it or tried it out?
Looks like it may need a heavy backend investment on the server. If it does then it's not suitable.
If you think the deployment scenario might fit (the .NET Framework requirement could nullify this option outright) - Microsoft has published quite a bit on the topic at: [msdn.microsoft.com...]
It may also be worth your time to check out some more real-world information and a demo here:
I tried the Wahoo example and got firewall messages followed by a security blockade and debug session. I didn't run the program. This may currently be too hard.
I'm keeping an eye on this approach.