node-cryptojs-aes icon indicating copy to clipboard operation
node-cryptojs-aes copied to clipboard
verified publisher icon chengxianga2008

Security of the http usage example.

Open trusktr opened this issue 12 years ago • 2 comments

In your example where you use app.get() and $.get() to send a ciphertext+passphrase to the browser, anyone with the CryptoJS JavaScript library and JsonFormatter can intercept and decrypt the data. It's completely in the open. What prevents someone from plugging in your ciphertext and passphrase into CryptoJS and seeing all your data?

The example doesn't appear to be secure.

trusktr avatar Oct 20 '13 17:10 trusktr

Thank you for your reviewing on the library. node-cryptojs-aes frontend data masking is aimed at preventing frontend data hacker malicious behaviour, it can't stop MITM attack. This approach comes into handy if there are requirements large amount of sensitive data need to be processed and stored in the client side at page construction time. Once passphrase is passed from server, client will do the heavy lifting to decipher and reveal the masked data, reduce server load and processing time. Pls refer to the example and check the update document.

chengxianga2008 avatar Feb 25 '14 18:02 chengxianga2008

I agree with trusktr it is open.

The likes of FireBug, IE and Chrome dev tools are the "man in the middle" and are the likely tools that anyone looking at data will use to get the password too !

ghost avatar Sep 22 '15 14:09 ghost