Thursday, October 6, 2016

A zero-knowledge system with encryption on a client can also be insecure.

Client-side encryption is considered more secure than server-side because in the 1st case you rely on your own whereas in the 2nd one you rely on a server. A server might not do encryption a right way, it might even not do encryption at all but claim it does.

Suppose, there's a web site where you can encrypt a message with a password. The encryption process is done on a client by javascript and a password is never sent to the server. The server only stores an encrypted message. Is it more secure compared to a version where you'd send your password to the server, it'd encrypt and save it with a salt in a database? Yes, because we can't know what's going on the server.

However, even so encryption is done on a client by javascript, it's still vulnerable. That is, the server might occasionally and intensionally inject malicious code into the javascript file  which does encryption for some users or slightly modify it. Not for all of the users, not for each request, but once in a while and only for randomly chosen users. The malicious code might send a plain text password to the server. Since a user  has used the website for a long time, he trusts it, therefore he won't bother to inspect each response and the source code of javascript. Furthermore, a user might even not be aware of this thread and thus might end up having his password leaked and a message decrypted by the owner of the website. 

No comments :

Post a Comment