Is In-Browser Encryption Safe?

From: Robert Inder (robert_at_interactive.co.uk)
Date: 01/11/05

Next message: M. Shirk: "RE: Data security"

Previous message: Rocky Heckman: "RE: Re[2]: Stack Overflow"
Next in thread: Javier Otero De Alba: "RE: Is In-Browser Encryption Safe?"
Maybe reply: Javier Otero De Alba: "RE: Is In-Browser Encryption Safe?"
Maybe reply: Ed Gorski: "Re: Is In-Browser Encryption Safe?"
Maybe reply: SERGIO OTERO: "Re: Is In-Browser Encryption Safe?"
Reply: James Eaton-Lee: "Re: Is In-Browser Encryption Safe?"
Maybe reply: Security: "FW: Is In-Browser Encryption Safe?"
Reply: Alexander Klimov: "Re: Is In-Browser Encryption Safe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: security-basics@securityfocus.com
Date: 11 Jan 2005 12:44:20 +0000

One of our clients has asked us to add an ordering facility to a web
site, and I'm wondering about using in-browser encryption to
protect the credit card number.

Here's the situation.

The ordering facility will, I believe, be almost impossible to use
until we add a sane product selection system (at which point we/they
will probably be signing up with a third party payment processing service).

But there is political pressure to have an ordering facility as soon
as possible, and we've been asked to provide an on-line order form,
with the orders coming to them by email. Given the likely usage,
having orders reach the client as email makes sense.

The obvious approach is that we set up something on the server to
forward orders to the client's behind-the-scenes email address.

Unfortunately this involves the server handling "valuable" information
(albeit probably only a single credit card number every few weeks!), and
I'd like to avoid this if possible.

Now, I have noticed implementations of public-key encryption
in Javascript. For instance the RSA algorithm at http://www.ohdave.com/rsa/

So I am wondering whether I could use such a package to
(conspicuously) encrypt the credit card number in the user's browser.

If the server were unable to decrypt the card number, but simply
forwarded it to the client, then we would be back to the situation
where the server never has anything of value.

Does anyone have any thoughts on this?

Why have I never seen anybody using this approach?

Robert.

--
Robert Inder      Interactive Information,            07770 30 40 52 (general)
07808 492 213     3, Lauriston Gardens,                    0131 229 1052 (fax)
                  Edinburgh EH3 9HH
                  SCOTLAND UK             Interactions speak louder than words

Next message: M. Shirk: "RE: Data security"

Previous message: Rocky Heckman: "RE: Re[2]: Stack Overflow"
Next in thread: Javier Otero De Alba: "RE: Is In-Browser Encryption Safe?"
Maybe reply: Javier Otero De Alba: "RE: Is In-Browser Encryption Safe?"
Maybe reply: Ed Gorski: "Re: Is In-Browser Encryption Safe?"
Maybe reply: SERGIO OTERO: "Re: Is In-Browser Encryption Safe?"
Reply: James Eaton-Lee: "Re: Is In-Browser Encryption Safe?"
Maybe reply: Security: "FW: Is In-Browser Encryption Safe?"
Reply: Alexander Klimov: "Re: Is In-Browser Encryption Safe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]