Sorry if this question was asked, but i haven’t found exact question. I have HTML form that is being submited in plaintext. I know that there is HTTPs with SSL, but i don’t want to buy certificate. Is it possible in some way to encrypt form data? I am thinking about two things:
- hashing form data via javascript – in fact i only want to send password so i don’t need to know its’ origin value.
- RSA – not sure if it could be implemented in javascript.
What would you suggest? Any other variants?
Whatever browser-side encryption you perform will require the use of an encryption key – this will be available to an attacker. So while your password will be encrypted to the casual observer, there is no extra security afforded against a targeted attack.
Hashing is useless in this context because the hashed version of the password becomes the password used to authorise/register the user.
The only solution to this problem is an SSL certificate – they are remarkably cheap!
http://en.gandi.net/ssl/grid (no affiliate link)
You could even use a self-signed certificate (if you can educate your users to trust the browser warning that will appear). As self-signed certs don’t have a “certificate authority” to certify that the certificate was legitimately procured (and not, for example, presented by a remote host in a man-in-the-middle attack) browsers (and users) are pretty vociferous in their dismissal of them as “insecure”.
There is a good article on Javascript Security at Matasano Security: