Encrypt part of HTML in PHP and decrypt in JavaScript

Question

Hi,

I'm looking for a way to encrypt a HTML form in PHP in a way so I can then decrypt it in the browser using JavaScript. This should work transparently to the user and JavaScript input validation must also work on the form (I know how to do this). When user submits the form, it must be encrypted again and sent to the server using an "AJAX" request.

Edit: this will be used as an alternative CAPCHA system, so scripts cannot submit forms, unless by some clever design.

Edit 2: I know this is brakeable, everything is. Car locks are brakeable, but we still use them. It is not meant to be ultimate CAPTCHA, but a speed bump, which will drive all but the most persistent people away.

Thank you

Answer 1

This is the same problem as with DRM: User has the ciphertext. The decryption is done on user's system, so user must have the key too. If user has both key and ciphertext, all encryption is pointless.

If you just want to transmit data safe from outside snoopers, why not just use SSL (HTTPS)?

Answer 2

You can use base64.

<?php
echo base64_encode('html source');
<?

and then you can use jquery plugin: http://plugins.jquery.com/project/base64 or javascript http://www.webtoolkit.info/javascript-base64.html to decode that.

Answer 3

For a CAPTCHA, the only way to defeat scripts is something that can only done by a human - such as recognizing something in an image, or doimg some math.

All decryption that's done by the browser can be just as easily done by automated scripts.

Answer 4

If you're trying to use this to stop spam, I've got some bad news for you:
The price of humans who'll spam blogs is falling to zero

This is a reality. On a site I run, I had a captcha system set up that spam was getting through. All but about 2 were coming from poorer regions of the world, so I had suspicions that there were companies paying people to spam. To test this I set accounts created by people in certain regions to be only visible to them and after they posted some content to alert them to the fact that their account was auto hidden. I provided them a form to contact us and complain if they were a legitimate user. Upon doing this we started getting about 10 emails a day from people angry that we had hidden their account, however upon checking the content they had added, they were spammers! It sounds crazy, but unfortunately it now seems to be humans doing the bulk of the spam. The spammers know we use captcha's, so they have adapted. :(

CAPTCHAs are fast becoming useless (if not so already). Adding a link so users can report spam and having karma levels where users are granted admin privileges so that their flagging leads to automatically hiding spam without prior confirmation (like stackoverflow does) is really the only effective way to stop spam now.