This is a security best practice and I’m wondering if I should even be wasting my time with this.
In the same vein of an initial crack of the Blu-ray movie format, hackers just inspected the memory of a player to snoop out a key value.
It seems like it’s feasible to do the same thing with browser memory, and to look at values that the javascript interpreter has set – so should I be encrypting data that is in memory?
Thinking this through – it’s eventually insane, b/c if my browser is displaying sensitive data on the screen, conceivable that piece of data is in memory and could be snooped. So it wouldnt matter if I had encrypting that same data in javascript somewhere.
I’m having a tough time explaining to my superiors of why we shouldnt go to this level of security…
Really, if you are concerned with some data being in the browser, then it shouldn’t be there. When data goes to the client, you can consider it compromised as you have no way of ensuring it is secure. Others have brought up a good point, you send encrypted information to the client, but you won’t be able to do anything with it, because you’ll have to decrypt it to show it to the end user. This is why if you look at regulations for banks, they never display any personal information (SSN etc.) on the browser, unless it was specifically typed in by the user (typed in and then posted back).