HACKER Q&A
📣 jslakro

Is encryption over HTTPS redundant and useless?


I'm planning to develop an application which is going to use SJCL (Stanford Javascript Crypto Library) to encrypt sensitive data (not card number, don't worry) in the SPA(React) before send it to a server which ONLY stores the information. Is that the correct approach? What I'm missing? Is out there any example of a similar scenario?

  👤 LinuxBender Accepted Answer ✓
To answer your question, I think that whether or not it is redundant depends on what a person can modify if they are in the middle of the data stream. Can they strip out the requirement for crypto on your site and inject less than secure links for the end user to interact with, or would that render your site useless? Is there server-side logic that can detect if the client is a proxy executing your crypto code or if it is really the end user? Can I put headless chrome in the middle and proxy a clients connection through it?

I'll give a related example using HSTS (headers that tell the browser to always use HTTPS). If I can MITM a connection that a person has never visited and assuming the domain name is not preloaded in the browser with HSTS, then I can simply strip out the HSTS header. This only affects people visiting the site for the first time, or the first time with that browser.

Or another example closer to your use case may be GPG keys for Linux YUM software repositories. If a person installs their OS directly from a repo mirror and I have compromised that mirror, I can modify any of the packages, re-sign them and put my GPG key in place of the OS maintainers GPG key.

Does your implementation fall into those examples, or would it be impossible to interact with your site if they crypto libraries were stripped out?

Beyond that, HTTPS is still useful for privacy if there would be any reason a person would not want someone to know what they are doing on your site. HTTPS is also useful for not getting an alert or red icon in the URL bar depending on the browser being used of course.