want to implement poor man's ssl only to encrypt certain fields of only one form using RSA. Is JS better or should I go for Applet ?
+5
A:
Why not just use normal man's SSL to encrypt the whole page?
Rolling one's own encryption is a risky business and unless you have a very good reason for it, you're likely to cause more security problems for yourself than you solve.
What is your objective and why is SSL not a viable option?
glenatron
2009-12-30 12:57:39
+3
A:
Both solutions are not secure.
In theory it's possible that you can create a perfectly secure implementation of RSA in both Javascript and Java. This would be good enough to prevent someone to eavesdrop in the transmission of your data.
However, people with the criminal energy of eavesdropping are likely also able to modify the data stream. That's something you cannot protect against, because an attacker could easily just replace your whole encryption code with something he wrote himself.
In the end this only gives you a false sense of security. You're better off purchasing a cheap SSL certificate.
Georg
2009-12-30 13:11:43
+1. You cannot possibility expect the user to check every line of downloaded JS to ensure that your secure encryption code hasn't been tampered with. Protection against only passive MitM attacks isn't much use. You need HTTPS, and it's no longer the expensive proposition it once was.
bobince
2009-12-30 13:52:44
A:
SSL is not expensive to use. Developer time is expensive. The operations / admin overhead of buying**, installing, configuring and maintaining SSL is not a really major one.
If you want a "poor man's encryption", use HTTPS!
** cost of the certificates themselves of course, being negligible.
MarkR
2009-12-30 13:21:16