Simple scenario:
1. My client wants to login to my website. he goes to http://mywebsite.com
2. Feeds in his user/pass and submits.
3. we go to https.
question:
How insecure is it to NOT encrypt the user/pass with javascript on the client side ?
This means the user/pass are sent as is on the network.
How can someone pick them up ?
And if someone can pick them up is it advised to encrypt?
and if so, what is a recommended way to do this that could be painless enough ?
Thanks!
If you the action your form is posting to is HTTPS, then the post to it should be encrypted in the transport layer. There is no need to encrypt using javascript. In fact, if you did use javascript to encrypt passwords, it would be trivial for an attacker to strip out that javascript so that the credentials were sent unencrypted.
Like everybody, I would recommend use only HTTPS in your server. However, I was looking in source code of my bank's page... And I noted that they used criptography in fields before send them, e.g, "hidding" account's number and password using only javascript. I think it is valid to avoid "insecurity" in some scenarios, because the protocol SLL/TLS (layer between TCP and HTTPS) provides "security" when the data leaves your machine. But, if your SO was infected with something, perhaps this "thing" can "analyze" the network traffic generated by Browser's output, before Operational System to do use of TLS/SLL.
Anyway, if someone is interested, there are some library in Javascript to do criptography!
For example, this one:
http://crypto.stanford.edu/sjcl/
My answer is trying to show there is a focus to prevent a malicious software will be able understand the traffic between your browser and Operational System.
