Should I encrypt sensitive form data with JavaScript on the client?

Best case scenario here is that you are wasting your time. Generally, doing client side encryption on top of HTTPS in a web application is a lot of work, but it provides no extra security.

The purpose of an extra crypto layer would be to protect against a MITM that has somehow managed to crack the TLS encryption. But an attacker that has done that could easily just modify the JS source of your extra crypto, simply turning it off. So this would only be useful against a passive MITM that has cracked TLS, and that really isn't a threat model worth investing a lot of energy protecting against.

Also note that limitations in many browsers (Opera Mini, IE9) ability to generate secure random numbers makes client side encryption tricky. You should never rely on Math.random for anything crypto related.

You should focus your energy where it has maximum impact. Instead of implementing your own crypto, make sure that you are using the good crypto you get for free with HTTPS correctly. If you are worried about MITM-attacks, looking into HSTS and preloading would be time much better spent.

Tags:

Javascript

Encryption

Web Application

Related

Can someone without the WiFi login and no physical access to a router still access it with the admin login? Why do apps with phone verification send the user a message, rather than have the user send one to them? Does DNS allow third parties to register subdomains? Most reduced types of DoS attacks How should I verify a caller is from the bank or company they claim? How can I verify signed commits made by other people? My sites have been hacked by cpamatik.com , it passes all security checks with Google and Sucuri, but still redirects, any idea? How important is local time for security? OpenSSL Certificate Renewal with same keys and NO CSR How does subresource integrity actually help? What could an attacker do if they gained access to PBKDF2 hashes? Plausibility of DNA sequence for encryption

Recent Posts