I know everyone uses TLS/SSL as transport layer security on the web.
What would prevent me from generating let's say keypair manually, encrypting data client-side (using JS for example) with that public key and submitting that data to my server with http's GET/POST request?
I mean - I can just use JS library to encrypt some form data with that public key - right?
Only person who has private key can decrypt it - right? And private key would be kept on the server of course. No key warning will pop up - since transmission is a regular http request. So why I need TLS?
How do you trust that the Javascript delivered to the browser is the Javascript that will encrypt with the correct key?
Think about it for a second, and realize that security best practices are very subtle and nuanced and simply slapping encryption on top is not a solution.
Also, if you're dealing with the "key popup", you've broken one leg of the TLS trust model (the trusted certificate authority) by using an unsigned server certificate.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With