Jump to content

Absolute Web Security


Recommended Posts

So recently Ive come to the realization that if I can take or break anything on a web-server, then why couldn't anyone else?  Which got the cogs turning and I started mulling over ways to prevent this.  Then I started thinking about a way to protect general content, and perhaps extend this to all files on the server.
I was thinking if there was a way that before any file went out from the server that you would pass it though some sort of encryption code, this I know would be really easy for standard content like text or scripts, you would just encrypt it with what ever key before you upload it... it would be nice that if on each request it generated a random key and passed it through a filter then sent it out but I don't even know the validity of doing something like that.  Then of course before the content is displayed to the user you pass it through a decryption method that was loaded to your client with the key for that session.  Once that session times out or is terminated the server no longer recognizes that key and the request is blocked like its client is black listed ip.  Any sort of cURL or xHR of any kind to the servers response text would then be encrypted and really really hard to deal with.  Am I crazy or is this possible?

Link to post
Share on other sites

It's not a bad idea if you wanted to make it harder for someone to view the HTML portion of code, you could try it with javascript to decrypt the main portions of it client side live on the web and probably mobile. It would have to be fast enough that you would not lose performance. But if that's all it is then I don't see what's to stop someone from getting the content once it's decrypted, it just might make the standard file-save as feature of the browser non functional.

 

I wouldn't call this absolute web security. The user has the decryption key if they really want to get content and a decrypted version of that content in the browser. Also the terminology "absolute web security" would imply preventing attacks on the security of the site such as SQL injection and cross-site scripting - I don't see how it would prevent that at all.

Link to post
Share on other sites

I agree with kahootbird. If you send the encryption key to the client is always possible to use it by looking at the decryption function result. The only utility I find for encrypting and sending info to client (without decrypting it) is to do stateless user information transference between requests securely.

Link to post
Share on other sites
On 3/4/2016 at 8:05 AM, WombatTurkey said:

 You can actually compile Javascript into native machine code utilizing V8 Snapshotting. 30% or so in loss of performance though Roger Wang has a great talk on youtube here.

 

 

Actually it is, 30% performance, not 30% performance loss, that means a 70% performance loss.

Link to post
Share on other sites
On 4/4/2016 at 2:09 PM, WombatTurkey said:

Oh srry. I thought he meant 30% off, 70% seems a bit excessive / worth it.  But then again, I mean if your code is sacred, go for it lol

The good thing is you can mix normal JS code with compiled JS code. So compile the code which isn't performance heavy, and just minify the performance heavy code.

Finally, in 21st century law protects your code more than anything else ;)

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...