• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HTML 5 symmetric encryption and storage

 
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How can HTML5 be leveraged with encryption?

Also where's the safest place to store data? Local storage? Is there a way to prevent script injection?
 
author
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Michael,

Michael Cohen wrote:How can HTML5 be leveraged with encryption?



What do you want to encrypt?

The problem with any encryption in the browser is:
- If you store the key on the client (which is necessary for offline use), it can be read via XSS and by any malware on the client
- If you store the key on the server, XSS-Code can still read the decrypted data during it's usage

Michael Cohen wrote:Also where's the safest place to store data? Local storage?



If it's in any way sensitive: On the server.
All other date: The securest place is the session storage, for persitant storage I would prefer the local storage. Not for security reasons, but because all browsers have them. WebSQL and IndexedDB are only partly implemented. From a security point of view there is no really big difference between local storage, WebSQL and IndexedDB.

Michael Cohen wrote:Is there a way to prevent script injection?



Don't have XSS vulnerabilities. :-)
Check all data a user can tamper with for script code, best with a whitelist, or encode the data before you display it.

But if you search for an easy way: There is none, as long as you work with any data the user can tamper with.

Kind regards
Carsten
 
Michael Cohen
Greenhorn
Posts: 4
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Carsten,

Thanks, yes encryption is hard in the browser without saving some sort of key. What do you think of the functionality that browsers like Chrome provide to keep data secure? Have you played with Chrome's local storage that's available to browser extensions? I'd love to hear your take.

Thanks,
Mike
 
Carsten Eilers
author
Posts: 13
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Michael Cohen wrote:Carsten,

Thanks, yes encryption is hard in the browser without saving some sort of key. What do you think of the functionality that browsers like Chrome provide to keep data secure? Have you played with Chrome's local storage that's available to browser extensions? I'd love to hear your take.

Thanks,
Mike



Hi Mike,

First: I don't like browser-specific implementations. Every usage of non-standard functionality leads to different implementations of the web app, and that increases the possibility of vulnerabilities.

For Chrome: I only looked briefly at it, since the extensions are a part of the browser and I mainly focus on the web apps.
It looks very much like the normal local storage of HTML5, so there should be the same problems/benefits. But it stores objects instead of strings, and I'm not sure if this can lead to additional security problems or not.

Kind regards
Carsten
 
reply
    Bookmark Topic Watch Topic
  • New Topic