Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

5
  • 1
    I'm not sure what exactly you mean by "roll your own in javascript" but I'm pretty sure it's a bad idea. Commented Mar 10, 2013 at 18:23
  • -1 never roll your own https in javascript. If that's not what you meant please clarify. Commented Aug 24, 2013 at 14:24
  • @makerofthings7 I clarified. I never said roll https in javascript, I said OR javascript (clarified with encryption). Although not the easiest to implement correctly, there are resources for that kind of solution. It's a valid answer and I don't see why it's worth a negative point. Commented Aug 28, 2013 at 20:07
  • Javascript with crypto code delivered from the server (which is what you seem to describe) is rarely a good idea. The server can modify that JS code and expose the local private keys. Another vector is XSS/CSRF. It's a risky security design. HTTPS should be a minimum. Let me know if you're thinking of some other deployment, such as a HTML/SPA application wrapped in PhoneGap or something similar. Commented Aug 28, 2013 at 20:49
  • 1
    @makerofthings7, My thought process was not for man-in-the-middle. That is a can of worms. I was picturing eavesdropping. One of the systems I worked on encoded all form data with javascript (with a random key) so that coworkers couldn't snoop on each other. Commented Aug 28, 2013 at 21:25