Welcome Guest, Not a member yet? Register   Sign In
secure messaging
#1

I have a Chrome Extension that talks to my CI based PHP application. They talk via XMLHttpRequest.  I am concerned with securing the communication between the two. How can I encrypt (or hash) a message in PHP that the javascript script can understand, and how about the other direction? This is not super secure data ie no ss#, birthdays , no pii. But I do send email addresses and sometimes a photo.
proof that an old dog can learn new tricks
Reply
#2

The problem with JS is that it's all on client side, and they have full access to source code, no matter how obfuscated it is.

Implementing HTTPS protocol would get rid of most security issues, because people can not snoop the traffic between browser and your server - which is extremely easy to do on public WiFi's for example.

I'm not security expert, but right now the only other solution I could think of is for Extension first request session based random encryption key from PHP application, then use that to encrypt/decrypt all data they pass to each other, so only extension and server could know the key at any given time.

However I believe that's pretty much how HTTPS works anyway, so it's almost easier to just implement that.
Reply
#3

(This post was last modified: 07-22-2018, 07:33 AM by richb201.)

Thanks. What does it mean "implement"? Is there anything I must physically do other than to set up to use https rather than http? (And of course get my hoster to set it up on their side?)

Btw, I think an extension does allow me to hide stuff in the manifest.Json file. I am already using oauth2 in my extension to speak with google servers to authenticate a user. So I am pretty sure the user is who they claim to be. I wonder if there is some way to use the fact that they have already been authenticated on the js side to hide the communication between the js extension and the CI backend?

I will investigate Google Cloud Messaging (commonly referred to as GCM) .  

Note: I see that GCM is deprecated as of a few months ago. 
proof that an old dog can learn new tricks
Reply
#4

As in implementing HTTPS? Well you do need to set it up on your server so webserver knows where HTTPS requests should end up, but from APP point of view, yous change URL from http:// to https:// there's no other changes you need to make, it's all handled by browser.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB