0

We have a Client/Server Application which many Customers use in their intern Network without HTTPS.

And we needed the Password you enter in the Frontend as PlainText in the Backend so we could Logon against DirectoryServices.

We did this by using a Public/Private Key Encryption, we send the Public Key to the JavaScript and decrypt in C# via our private key. This works, but need to include a huge JavaScript Library only for the Encryption.

Is there a native Browser API available to use for this (without https).

Is there a better way at all to do this?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
user1237393
  • 137
  • 9
  • https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle – epascarello Apr 15 '21 at 20:35
  • This feature is available only in secure contexts (HTTPS), in some or all supporting browsers. – user1237393 Apr 15 '21 at 22:50
  • whoops.... Guess you are stuck to using a library. Tons of them out there – epascarello Apr 16 '21 at 12:45
  • https://stackoverflow.com/questions/18279141/javascript-string-encryption-and-decryption – epascarello Apr 16 '21 at 12:47
  • Please just use https. Without it you have to worry about MitM attacks on the client side encryption anyway. It has never been easier or cheaper to use HTTPS anyway thanks to https://letsencrypt.org/ and by cheaper I mean free. You put your users at risk by not using HTTPS. – zero298 Jun 15 '21 at 01:43

0 Answers0