Site Overlay

Encrypt HTML form data without using SSL

In certain cases, it might be hard to install SSL certificates or SSL is not supported by some webhosts. In those cases, there is a need to encrypt the data (POST/GET)┬áthat is sent when you submit a form because if you don’t, your data will be sent in plain text. So I ran into jCryption, a javascript based HTML form encryption plugin. The encryption is performed using public key algorithm of RSA and supports form data encryption upto 2048 bit.

  • jCryption encrypts on the client with Javascript and decrypts on the server with PHP.
  • A keypair is automatically generated on every request to send data by the user. This adds an extra layer of security.
  • jCryption was build on top of the Multiple-Precision library and uses Barrett Modular Reduction library as well.
  • It is completely free and has been dual licensed under the MIT and GPL licenses.
  • Has been tested and works with all modern browsers such as Firefox 3, Chrome, Opera 9+ and legacy browsers such as IE6.

Caution when considering jCryption

  • jCryption must not be used as a replacement for SSL as it currently does not provide authentication and no protection against MITM (Man-in-the-middle) attacks.
  • Because the encryption is performed on the client side, if the client has disabled javascript and that maybe the case in some corporate environments, the form data will be sent unencrypted.
  • File uploads are also not encrypted because of performance reasons as there is no fast way of accessing and applying encryption to data inside a file.

jCryption is hosted on Google Code and is available for download.

Still not convinced? Check out the jCryption demo.

Similar Posts:

Published By:

Author: Ajit Gaddam

Ajit Gaddam is an accomplished technology executive and is currently the Head of Security Engineering at Visa, where he is responsible for building large scale AI driven cybersecurity products, leading engineering programs, and providing expert guidance on cybersecurity matters. He has presented at conferences worldwide, including USENIX Enigma, RSA, Black Hat, Strata Data Hadoop, COSO Dublin, and GCS Ukraine. Ajit has been quoted by major media organizations and his work has been showcased in academic journals, security publications, and in two published books. He is an active participant in various open source and standards bodies, is a prolific inventor of disruptive technologies (over 100+ global patents), and moonlights as an instructor (SANS, community colleges).

4 thoughts on “Encrypt HTML form data without using SSL

  1. Why don’t you give a README.txt file to explain precisely how to install it? You developers and coders: you only write in one language and that is the language you speak with one another!! The average person wanting to learn is clueless with your terms. e.g., what the heck does “add this to your HTML form mean? and how do you do it?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll Up