PHP Classes
elePHPant
Icontem

Caution: This is not a replacement for SSL/TLS

Recommend this page to a friend!

      PHP Form Encryption  >  PHP Form Encryption package blog  >  Encrypt Post Data PHP...  >  All threads  >  Caution: This is not a replacement...  >  (Un) Subscribe thread alerts  
Subject:Caution: This is not a replacement...
Summary:Encrypting data in the browser via JavaScript is pointless
Messages:2
Author:AVAS Technology
Date:2016-10-05 14:23:15
 

  1. Caution: This is not a replacement...   Reply   Report abuse  
AVAS Technology - 2016-10-05 14:23:15
Encrypting data in the browser via JavaScript is pointless if the HTML & JavaScript is not served via TLS. Without the encryption, and associated authentication procedure, provided by TLS there is no guarantee that the user received the correct JavaScript code or even performed the encryption. A Man-In-The-Middle attack here would simply remove the encryption and redirect all data to their own server, record the data and then encrypt it before passing it on to the website.

You can find a more detailed explanation at:
avastechnology.com/Blog/Post/Man-in ...

  2. Re: Caution: This is not a replacement...   Reply   Report abuse  
Francisco del Aguila - 2016-10-05 16:15:23 - In reply to message 1 from AVAS Technology
You're right: This tool is not intended to replace SSL/TLS.

It's just a tool to avoid plain-text communications as an efficient defence against snnifers (remember that RSA-private key is NEVER transmitted, and AES-256 key is RSA encrypted and has short life). It can be valid also against XSS attacks if the calling script only accepts encoded forms (better than use tokens is to convert all data in a token itself).

Just another stone on hackers's way. Remember that SSL/TLS can be attacked: https://drownattack.com, Crime SSL/TLS, HEIST... and future ones.