0

Simple scenario:
1. My client wants to login to my website. he goes to http://mywebsite.com
2. Feeds in his user/pass and submits.
3. we go to https.

question:
How insecure is it to NOT encrypt the user/pass with javascript on the client side ?
This means the user/pass are sent as is on the network.
How can someone pick them up ?
And if someone can pick them up is it advised to encrypt?
and if so, what is a recommended way to do this that could be painless enough ?

Thanks!

Improve this question
6
  • 3
    Why would you want to do encryption in JS, when you could simply use https everywhere and get encryption for 'free'? Commented Jul 17, 2012 at 14:13
  • What's the point to cript password with js in the first place? https is secure enough for authentication. Commented Jul 17, 2012 at 14:14
  • I guess it wasn't obvious to me. Do you mean that if the protocol is https in the first place, it would get the job done? It may be naive of me, but I thought that the method is to go first on http, and only after authentication you move to https. Commented Jul 17, 2012 at 14:18
  • No ted. The better method (in terms of security) by far is to force the user to ALWAYS use https, even for assets you sideload like JS and CSS. Commented Jul 17, 2012 at 14:26
  • @MrGlass, by forcing the user to use https... do you mean ? redirecting to https? Commented Jul 17, 2012 at 14:29

2 Answers 2

Reset to default
3

If you the action your form is posting to is HTTPS, then the post to it should be encrypted in the transport layer. There is no need to encrypt using javascript. In fact, if you did use javascript to encrypt passwords, it would be trivial for an attacker to strip out that javascript so that the credentials were sent unencrypted.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Like everybody, I would recommend use only HTTPS in your server. However, I was looking in source code of my bank's page... And I noted that they used criptography in fields before send them, e.g, "hidding" account's number and password using only javascript. I think it is valid to avoid "insecurity" in some scenarios, because the protocol SLL/TLS (layer between TCP and HTTPS) provides "security" when the data leaves your machine. But, if your SO was infected with something, perhaps this "thing" can "analyze" the network traffic generated by Browser's output, before Operational System to do use of TLS/SLL.

Anyway, if someone is interested, there are some library in Javascript to do criptography!

For example, this one:

http://crypto.stanford.edu/sjcl/

My answer is trying to show there is a focus to prevent a malicious software will be able understand the traffic between your browser and Operational System.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.