I agree with majority of sentiments above. I would like to point out that I disagree with the statement: "On another note, the only way obfuscate the data, would be to have an encryption implementation in JavaScript, and a matching version in Python to transmit the data over the wire. In this case, all a hacker would have to do is read your JavaScript code, which is just a "right-click -> view source" away. So you gain nothing by trying to obfuscate the data, which is exactly why HTTPS and SSL exist, because the security experts know that security is NOT obfuscation."
If I was actually implementing encryption (not obfuscation, the two terms are used interchangeably above) I would use an asymmetric key algorithm, thus assuming we had man in the middle, even being able to view our javascript, public key & encrypted text would provide no method of identifying original data. All this being said, I don't believe I would use javascript as an integral part of my website security architecture. :) PS: If you really do care, a quick web search identifies multiple des/aes javascript implementations. (Obviously, use at your own risk)
