Hello! Long time ago I had a crazy idea of using public key cryptography through JS. I know about SSL, but unfortunately it has one big problem: you are to buy a certificate (actually, sign a certificate by certificate authority). Certificate authority free encryption systems are known to be vulnerable to active attacks, but they can prevent at least passive attacks. But in Web you can't take advantage of public key cryptography without paying money to certificate authority (ok, you can use self-signed cert, but most of browsers will show ugly warnings to users).
The workaround seems to be JavaScript-based encryption. At the beginning of Ajax session, Diffie-Hellman key exchange is done and then this key, that is known only by a client and a server, is used to encrypt all the information, passing through the ajax. This encryption system would be resistant to passive attacks (passwords, entered by user, can't be captured). This system is not be resistant to active attacks. But most of attacks are passive (for example, free WiFi access points). The advantage over SSL is free of charge. I think, this encryption would be a great part of Wt. Almost no changes of Wt applications would be needed, since all the JS is generated by Wt itself or Wt's functions, so can be easily wrapped. It would be a method of WApplication, enabling this encryption. Is it possible to implement this? Regards, Boris Nagaev ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
