No this isn’t a lame post on how I explain to encode your Javascripts 
It’s something I’ve done for a bit of fun really, I wanted to figure out a way to pass data across the network encrypted with Javascript and have it automatically decrypted. I doubt this technique would ever be used in the real world because the key is passed between windows in plain text.
But here’s how it works anyway, first a key is requested from the user, the form data is then encrypted with that key using AES (Kindly supplied by Ronald) and base64 encodes it, then it assigns the key to the current window name. When the form is submitted the window.name is passed between windows (I don’t think the name is passed over the network), the decryption process is then automatically performed revealing the plain text.
I’ve called is JSSL (Javascript socket layer) just a fun pun on SSL, it could be improved to automatically generate a key based on mouse movements and destroy the key after use. You could even pass encrypted data between sites using this method.
Update…
I’ve changed the method to use a random key based on mouse movements instead of requiring a prompt. The script chooses a random character each time you move your mouse and adds the positions used to the key as well.
Check it out here:-
JSSL demo
Comments 7
I don’t get it…..why would anyone want to use this?
Posted 10 Dec 2007 at 11:38 pm ¶I dunno like I said just for fun….
Posted 11 Dec 2007 at 6:29 am ¶@kuza55
One thing has been bothering me lately…Recently you only seem to post negative things on my blog. The article clearly states “I’ve done for a bit of fun really” and “I doubt this technique would ever be used in the real world” but you still insist on repeating that fact, why?
Don’t take security so seriously and realise that some of us aren’t interested in patents or whitepapers and simply want to have fun! I will continue to post my ideas and I suggest the next time you make a comment you look at the context of the post.
Now I’m gonna implement JSSL on my new credit card transaction system, it will be ultra secure…see a joke
Posted 11 Dec 2007 at 10:56 am ¶Actually it can be used for login pages that aren’t on SSL. Any login page (yes also slackers and my forum) is basically insecure since it’s not on a SSL line. All your paases are send in clear, ready for the taking.
I’ve seen MD5 hashing in JS for login pages, and they have a practical implication IMO.
Posted 11 Dec 2007 at 11:13 am ¶@Ronald
Yeah good idea, I’ve written a md5 javascript login before but of course you can just intercept the hash. If however a random salt was used each time and then was hashed with the decrypted data then it would be possible to create a pretty secure login system.
Two sites could even communicate with this method to perform a cross site login without SSL. Still I won’t be rushing to implement it on any sites I develop
Posted 11 Dec 2007 at 11:31 am ¶You’re right that my last two/three posts have been negative (or were there more?), but personally the thing that annoys me most are fawning posts which say “Thanks, this is cool.” or something along those lines, and seeing as I don’t have any constructive criticism (JS encryption is doomed), I post my views, as negative as they are.
You’re right though, I must have missed that line somehow, however the fact that they key is passed in plaintext isn’t the biggest issue; the reason I don’t see this as too valuable is because Javascript encryption only stands up to passive attackers, and its pretty unlikely that an attacker would be able to read, but not modify data.
I understand the worth of raising the bar, etc, but given that the performance benefits associated with using this method as opposed to SSL/TLS probably aren’t too huge.
I’m not too interested in patents or whitepapers; well, not unless they are new and interesting ideas, and this is neither, not that I can really talk, having not posted anything new or interesting in a long while.
And while having everyone agree with you is nice, its better IMO to have those that don’t and are always critical, but not hostile. So I’ll keep posting until my comments stop getting approved (like they did elsewhere).
Posted 12 Dec 2007 at 5:02 am ¶@kuzza55
I don’t mind constructive criticism and if you mentioned the points in your previous comment then they would be welcome but I found it annoying that all you stated was already mentioned in the article.
Let stop this eh? It’s wasting valuable hacking time
Great points and of course this method is no replacement for SSL
Posted 12 Dec 2007 at 9:14 am ¶Post a Comment