Naked Science Forum

Non Life Sciences => Geek Speak => Topic started by: RD on 05/04/2012 12:37:40

Title: In-browser encryption via javascript, is it secure ?
Post by: RD on 05/04/2012 12:37:40

#####  Encrypted: decrypt with http://www.fourmilab.ch/javascrypt/jscrypt.html (http://www.fourmilab.ch/javascrypt/jscrypt.html)
?HX?60ff740c620065ef5620b8c9bff47c3f3e063fa11112165107893744d46a
9c1ba783661ea4e4937ed3ba2ed1fef1149f9f535ae6557da799672fb8d5715f
8c7db7c4971c5fa356f1bdb2285f9f3795c49f94b311f21179c5e9242c7a2a2c
38fa248a1ca303b758f1375496e6085d67ca7c43df025957733c26d1551555d9
ec0eca42e132e2e4701bbc471bb15b3274cd13d4c98d27b64a172d33592efc47
0fd1f409276f2ae50276c447920c97b9a52dd274858c02667788079509aab5ee
c86d4aaf8621633398341881863a904c08f7f3b3b1ab886e41aa6ae39cdd6b1b
e1b26becfaaa59e0be56990e943e30ab80570a492f522f42213f45ab0900d4e4
bed11c4f8854a5ff5f1a7789f9c31007b5cdd9ad948e74161a077b25313e0ec1
18fc399871768a473cdbc592da96890c641d?H
#####  End encrypted message


http://www.fourmilab.ch/javascrypt/

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: CliffordK on 05/04/2012 14:43:34

It would help if you had chosen to send a decryption key.

Java, of course is a powerful programming language, so one could expect to be able to write encryption/decryption software in the language.  Obviously you have to trust the hosting site.

Java, of course, is mostly run on the client computers, so you have access the the algorithms.  That means that reverse engineering the program might be easier, as well as trying to see how much information is being captured by the host.

If the program was run on the server, the "black box" would be harder to crack, but you also would have less information about what the is being done with your data.

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: RD on 05/04/2012 15:54:47

Quote from: CliffordK on 05/04/2012 14:43:34

It would help if you had chosen to send a decryption key.

if someone could have deciphered it without the key that would have answered the question

the key is nakedscientists

I'd heard of javascript injection of malware (http://www.asp.net/mvc/tutorials/older-versions/security/preventing-javascript-injection-attacks-cs), but I wasn't sure if such malware survived closing the browser (i.e. persistent).  If encryption / decryption was being performed by javascript into which malware has been injected then the secret info could be leaked.

[ May just be that my tinfoil hat is on too tight.  [:)] ]

Quote

a hacker can use a JavaScript injection attack to steal the values of browser cookies from other users. If sensitive information -- such as passwords, credit card numbers, or social security numbers – is stored in the browser cookies, then a hacker can use a JavaScript injection attack to steal this information. Or, if a user enters sensitive information in a form field contained in a page that has been compromised with a JavaScript attack, then the hacker can use the injected JavaScript to grab the form data and send it to another website.

Please be scared. Take JavaScript injection attacks seriously and protect your user’s confidential information.

http://www.asp.net/mvc/tutorials/older-versions/security/preventing-javascript-injection-attacks-cs

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: Gordian Knot on 09/04/2012 17:49:08

To repeat RD, Please be scared. The first successful Mac trojan got thru their safeguards through Java. It is estimated that some 600,000 Macs are infected!

Here is a site that helps you find out if you are one of the infected:

http://gizmodo.com/5899352/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected (http://gizmodo.com/5899352/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected)

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: RD on 09/04/2012 18:21:00

Quote from: Gordian Knot on 09/04/2012 17:49:08

The first successful Mac trojan got thru their safeguards through Java.

There's Java (https://en.wikipedia.org/wiki/Java_%28programming_language%29) and javascript (https://en.wikipedia.org/wiki/Javascript), which are quite different ...

http://stackoverflow.com/questions/245062/whats-the-difference-between-javascript-and-java

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: Gordian Knot on 13/04/2012 15:24:00

Yes they are. And they are both dangerous for the holes in their security that the bad guys can use.

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: syhprum on 13/04/2012 20:25:48

As one whose programing skills never got past elementry Basic I would appriciate some examples of what can be done in Java and the misnamed "Java script"

Title: Re: In-browser encryption via javascript, is it secure ?
Post by: RD on 13/04/2012 21:49:10

Quote from: syhprum on 13/04/2012 20:25:48

... I would appriciate some examples of what can be done in Java and the misnamed "Java script"

Javascript examples are available (https://en.wikipedia.org/wiki/JavaScript_library) primarily to manipulate data on webpages, e.g. If you block your browser from using javascript when you compose a post in this forum, the controls for font size, italics, emoticons, etc don't appear : they are made possible by javascript in the webpage running in your browser.

https://en.wikibooks.org/wiki/JavaScript/First_Program

The arcanesanctum.net webpage calculates MD5 (https://en.wikipedia.org/wiki/MD5) of a text string using javascript ... http://arcanesanctum.net/md5/
like the "fourmilab" encryption webpage at the start of this thread, you can save a copy of the webpage on your computer and run it in your browser without being connected to the internet.

 [ Invalid Attachment ]