2

I have an user registration form on my website, and it just sends the data (username, password and email) to the server in plain text using socket.io. I know that this is a really bad solution, so what do I use to hide the information? And can you explain how could someone get the information so I know what to avoid? I heard about jsAES, that encrypts the stuff, but how will both the client and the server know the key?

asked Sep 4, 2011 at 10:14
1
  • I've little experience with this, but https uses RSA. You encrypt at client side using a public key and on the server side you decrypt with a private key (secret). You might as well want to implement RSA. Commented Sep 4, 2011 at 10:17

1 Answer 1

8

What you can do is use asymmetric cryptography in JavaScript: Include JavaScript encryption code (for example, RSA, not the symmetric AES) and a public key in your code. Upon submit, encrypt all inputs and send them to the server where they are decrypted with the private key. However, a skilled attacker can simply change that JavaScript or inject his own to circumvent this client-side encryption. Also, it requires JavaScript, which may disabled by security-conscious visitors.

Instead of rolling out your own solution, use HTTPS. Generate a key pair, get a certificate for it, and configure your server to serve HTTPS requests. Use HTTP Strict Transport Security to force HTTPS for all connections.

answered Sep 4, 2011 at 10:22
Sign up to request clarification or add additional context in comments.

5 Comments

I do use JavaScript, it's an online game I'm making, and it's a must.
@bane Then use HTTPS. It's simple, well-supported, fast and secure, and you can get certificates for free.
Can you explain how these certificates work a little further? My website is still not online and I didn't even register a domain name! Can I use the software without the certificate and get it when I go public?
@bane Sure! Normally, all the data that makes up your website (HTML, styles, images, JavaScript etc.) is transferred in plain, via HTTP. When you access an https:// URL (like paypal.com), your browser and the webserver negotiate an encrypted communication channel (SSL/TLS). Once that channel is established, they speak HTTP over it. In order to be sure the other end of the encrypted channel is who you think (i.e. it's your webserver) instead of someone else's, you need a certificate by a trusted party that says your webserver is really domain.com. Continued ...
@bane In practice, that means you have to first create keys, then get the SSL certificate (try the free StartSSL above), then upload it to the webserver and configure it to start serving HTTPS. As soon as you have registered the domain, create the keys and apply for a certificate. Once you have it, just contact your webserver adminstrator/provider and say you want HTTPS support and have a key pair and certificate for your domain. If anything's unclear, feel free to ask at webmasters or serverfault, or me.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.