I'm looking into an offline web app solution using HTML5. The functionality is everything I need BUT the data stored can be directly queried right in the browser and therefore completely unsecure!
Is there anyway to encrypt/hide so that the data is secure?
Thanks, D.
As with any programming language, HTML5 is only as safe as the practices of the developer who creates with it. However, HTML5 is seen as much more robust in terms of safety because of this sandboxing.
HTML5 provides little protection for web vulnerabilities such as XSS, CSRF or SQL injection amongst many others. Even though the specification may seem more secure, most of the vulnerabilities available in the hackers' arsenal continue to work on HTML5-based sites as well.
The architecture of HTML5 allows cyber risk management. It is more secure than any Flash code, but not entirely immune to malware or security issues. The difference is that HTML5 is maintained by the World Wide Web Consortium (W3C).
There are two concerns to local storage in HTML5 -
For 1, browsers enforce the same-domain restrictions to localStorage (or the sqllite database support that safari has), so other websites won't have access to the data that you store. However, do remember that if your site has XSS vulnerabilities, it would be possible to steal the data.
For 2, you can't prevent it. Its just like a cookie - the user can chose to view/delete/modify it.
Encryption of data is possible (see http://farfarfar.com/scripts/encrypt/), but pointless. You cannot have a single, global key/password - because an attacker can easily figure the key from javascript code. Using a user-entered password to encrypt/decrypt is possible, but client-side encryption libraries aren't mature or tested well enough. There are likely tons of way to break it.
So, for now atleast, don't store sensitive data in localStorage.
You can also see an article on this concern by the author of the HTML5 SecureStore Porposal
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With