5

How do I encrypt JSON data that is transferred back and forth from client to server? When I use firebug, I can see all the data (contents in result.d). I'm using ASP.NET 3.5 and C#. Our admin has setup the site to use https but I can still the POST requests and the data. What am I missing?

Thanks!

tempid
  • 7,838
  • 28
  • 71
  • 101

1 Answers1

8

HTTPS is still your best option - you just need to ensure that HTTPS is, in fact, being used. Firebug can do this for you - if you inspect the full URL being used.

However, Firebug is running on the client, so it is seeing the data before it is encrypted / after it is unencrypted. (Just because you're seeing "all the data" doesn't mean that it isn't being encrypted "over the wire".)

If you need to really verify / see the data in its encrypted state, use something like Wireshark or Fiddler.

Extending upon Greg's comment, this encryption prevents other users on the network from viewing your data - both to and from the server. I.E., if you're at a wireless hotspot, this will prevent other users at the hotspot or other less-than-honorable network operators from intercepting your data in clear-text. If you're trying to prevent the end user (the user using the web browser) from viewing the data, you can't. Any attempts to do so will be defective-by-design™.

ziesemer
  • 27,712
  • 8
  • 86
  • 94
  • The POST URL in Firebug looks something like this - `https://xxx.com/xxx.aspx/LoadData`. I then click on the JSON tab and can view the results. I should not be seeing this in HTTPS, right? – tempid Feb 29 '12 at 01:49
  • 2
    +1 Again, as ziesmer said, you're looking at data that's on the client, so in theory that's data that the client application has already seen and interacted with. To check to see if it's encrypted, I suggest checking out the traffic between he browser and the server using a proxy or port listener. – jamesmortensen Feb 29 '12 at 01:52
  • 1
    @enigma: If you're trying to hide the data from the *end user* (the person sitting behind the browser), you can't. – Greg Hewgill Feb 29 '12 at 01:57
  • Thank you. I've looked in Fiddler and saw the 443 tunnel entries for the website so the HTTPS seems to be working. I'm still trying to wrap my head around this.. if what I see in Firebug is client side data, how is the SSL helping me at all? How is it stopping a hacker? Sorry, I'm a newbie. – tempid Feb 29 '12 at 01:59
  • SSL stops the guy sitting at the other table at the coffee shop from snooping your Wifi connection and seeing everything you're doing. See [Firesheep](http://en.wikipedia.org/wiki/Firesheep). – Greg Hewgill Feb 29 '12 at 02:00
  • @GregHewgill: Thanks for the link to Firesheep. I heard it hijacks other peoples' browser sessions. So if my POST URL is exposed thru Firebug, anyone can hit it and bombard the server, right? I'm sure I'm missing something here. If the user can see the json data they'll get an idea about my object model and other metadata that may not be displayed on the page. There's no way to avoid that? – tempid Feb 29 '12 at 02:08
  • @enigma: That's right. You must assume that everything the browser sees and does is under the absolute control of the end user. You are not missing anything. – Greg Hewgill Feb 29 '12 at 02:10
  • @enigma - "and other metadata that may not be displayed by the page". If this is truly the case (along with not being "used" by the page), then this data shouldn't be sent to the browser at all. At a minimum, this is useless data that will slow performance. If anything here is considered "proprietary" or "confidential", you need to revisit your approach. Any attempts to encrypt this from the end user will be defective-by-design™. – ziesemer Feb 29 '12 at 02:12
  • 1
    Thank everyone for your responses, really appreciate it. I learnt something new today! +1 for defective-by-design™. – tempid Feb 29 '12 at 02:27