tzsk / crypton

Laravel Request & Response Encryption
MIT License
39 stars 9 forks source link

What's the point of encrytping something with a publicly visible key? #2

Open OzanKurt opened 5 years ago

tzsk commented 5 years ago

Yes, it is quite difficult to put the head around the fact that it exposes the Encryption key in the Clien-Side Javascript. But I would like for you to keep an open mind and think about the CSRF_TOKEN which is being used in Laravel. It is also visible in the HTML form. Which I can copy and make my own form and send the form from a separate server.

The justification is quite like that. Yes we can see the key. But it is just an extra layer of security on top of our current API implementation. If in case the Public API endpoints are compromised in any case. There it would be hard for the person to figure out the request and response in Postman or any REST Tool.

Idea behind making the package was to keep the attackers busy for some time before compromising the data.

Hope you understand my motivation.

OzanKurt commented 5 years ago

Still, it's half a second loading for someone using mobile, and possibly even more with the usage of CDN instead of bundling it with webpack.

How important is your data to spare that much time to en/decrypt it? I can't think of an example where my payload is so important that I wanna encrypt it.

douglashb commented 1 year ago

There are a lot of utilities for use encrypt and decrypt data, for example, PCI SSD always is extended more practices for better security, in my case I work in Fintech, we encrypt the card user info, and now we begining with the user password to send in request