0

I don't want to use HTTPS

http://www.vector.safwanmanpower.com/

fill the username and click on any of buttons then click on show button you will get any sequence like 2-4-5-7 in alert box this sequence i've generated using javascript now i want to submit this sequence to save in database that is working but when i send this sequence it will go in plain text i want to encrypt this sequence and then decrypt it on server using php and save as it is 2-4-5-7 in database ?

how can i do this any javascript encryption which can't be consider as weak as javascript code is visible to user ?

so middle man sniffing will be difficult

how can i encrypt using javascript and decrypt it using php and store in db in above example ?

any other solution will help me

Improve this question
1
  • 1
    The problem with your approach is that when you encrypt on the client side and still send the data in an insecure way to the server, an attacker is still able to capture the (encrypted) data (e.g., password) and just send that data to the server to mimic someone identity. Commented Mar 27, 2011 at 20:29

3 Answers 3

Reset to default
5

Is there any particular reason on why you want this encrypted client-side, only to decrypt it server-side? If you want to prevent the data from being caught by links between the client and the server, I'd suggest using SSL instead. The HTTPS protocol is a good way of securing the data being sent from and to the client.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

yee i know but without using HTTPS i want to secure this application this is my final year project so using SSL certificate is not feasible
Without the use of SSL it will become very tricky, considering, like you stated yourself, every Javascript you use can be read and reversed. What you could try to do, is sending keys over multiple requests (via AJAX perhaps). It's still not as secure as SSL, but it might get trickier to crack.
And if you want to sacrifice user-comfort for security, you could also look in to e-mail or SMS verification codes. If you need a code form an e-mail every time you log it, there would be no real way of getting in the system with only the number combination.
4

Best solution if you don't want anyone sniffing what's passing on the network ?

Use HTTPS : all communications between the server and the clients will be encrypted.

Improve this answer

4 Comments

yee i know but without using HTTPS i want to secure this application this is my final year project so using SSL certificate is not feasible
Why would it be not possible ? If it's your final year project, you certainly want to use what's used in real life, no ?
Self-signed SSL certs are free. If it's just a school project, there should be no issues there, as long as you document the reason for the error message your users might receive when testing the application.
@mr_eclair you can generate an SSL certificate yourself, for free ; there will be a warning in some browser the first time one accesses your website, but communications will be encrypted -- just explain why there is that error message, and that, for a real life project, you'd have bought a non-self-signed certificate.
2

how can i do this any javascript encryption which can't be consider as weak as javascript code is visible to user ?

so middle man sniffing will be difficult

JCryption will do this using public-key encryption.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.