1

I would like to know if there's a combo like jCryption (jCryption) - PHP but for jQuery - ASPX. I mean, I have been searching for a combo to send data both ways (Client-server, server-client) with jQuery to ASPX. The best I found was jCryption that sends data from JavaScrpit to PHP. I need a combo to send data from JavaScrpit to ASPX.

Any ideas??

PD: Please don't tell me to use HTTPS, it's not enough to ensure the data communication on a client - server application.

neubert
  • 15,947
  • 24
  • 120
  • 212
  • Actually jCrypton is made to support applications/servers that have no SSL abilities and does no replace it... Moreover many users report it as not working. – eugeneK Jun 06 '10 at 06:48
  • do you mind if i ask what you mean by "it's not enough to ensure the data communication on a client - server application" the html isn't encrytped by jCryption, only the outbound data, which, as i understand it, is what SSL does for you. – nathan gonzalez Jun 06 '10 at 06:50
  • 1
    HTTPS is more than enough. It's more secure than anything you can build with your JavaScript libraries. This jCryption does not authenticate. It does not encrypt HTTP headers (with sensitive session information), and in fact, the library itself is sent in plain-text. – Tower Jun 06 '10 at 09:32

2 Answers2

4

"Please don't tell me to use HTTPS, it's not enough to ensure the data communication on a client - server application"

Well, sorry, but that's exactly what I'm going to do. SSL is far more secure than anything you're able to do with JavaScript. With non-SSL you're sending clear-text to client/server, meaning if I can see the packets, a man in the middle attack (e.g. you're at my coffee shop, my wireless router) is not that hard. How would you do anything more secure in JavaScript?

You would be sending all keys back and forth over a plain-text connection, negating the point of any security you think this adds. This is like adding an extra deadbolt to your front door, does it make it any more secure? Not really, because you just gave me a copy of the key :)

Is SSL perfect? No, there have been holes found like anything else. Is it way more secure than any encryption where the keys are freely visible, e.g. JavaScript over an unencrypted connection? Yes.

jCryption that you mention is not a replacement for SSL, you don't have to believe me though, look at the comments from it's author, just scroll to the bottom.

That’s true it is vulnerable to MITM attacks, but I mentioned that jCryption at it’s current state offers no way of authentication and that it is no replacement for SSL. jCryption should be an easy to install plugin which offers a base level of security.

Or, read the FAQ itself:

In my opinion jCryption is much easier to install and configure. Although I don’t think that jCryption is a replacement for SSL. It could be a nice addtion for your contact form or login page to simply make it more secure. If you need highest security you have to use SSL, because jCryption offers no way of authentication.

Nick Craver
  • 623,446
  • 136
  • 1,297
  • 1,155
0

This might be too little, too late; however, I've ported the original author's server-side, PHP, code to C#, and so you can now use jCryption, bi-directionally, in an ASP.NET application. I've also used OpenSSL.NET, so that you don't have to run OpenSSL in a separate process, as Daniel Griesser does in his PHP sample code.

You can find more information here: http://blog.arkitekt.ca/post/64884550698/jcryptionnet And, the GitHub repo here: https://github.com/triniMahn/jCryptionNET

triniMahn
  • 278
  • 1
  • 4
  • 16