Absolute Web Security

[Pryme8]

So recently Ive come to the realization that if I can take or break anything on a web-server, then why couldn't anyone else?  Which got the cogs turning and I started mulling over ways to prevent this.  Then I started thinking about a way to protect general content, and perhaps extend this to all files on the server.
I was thinking if there was a way that before any file went out from the server that you would pass it though some sort of encryption code, this I know would be really easy for standard content like text or scripts, you would just encrypt it with what ever key before you upload it... it would be nice that if on each request it generated a random key and passed it through a filter then sent it out but I don't even know the validity of doing something like that.  Then of course before the content is displayed to the user you pass it through a decryption method that was loaded to your client with the key for that session.  Once that session times out or is terminated the server no longer recognizes that key and the request is blocked like its client is black listed ip.  Any sort of cURL or xHR of any kind to the servers response text would then be encrypted and really really hard to deal with.  Am I crazy or is this possible?

[WombatTurkey]

 You can actually compile Javascript into native machine code utilizing V8 Snapshotting. 30% or so in loss of performance though Roger Wang has a great talk on youtube here.

 

 

 

 

[Pryme8]

I mean 30%, yea when you scale that up by a bunch of users that's a huge about of additional server head.  But maybe as technology scales here it will be more applicable?

[kahootbird]

It's not a bad idea if you wanted to make it harder for someone to view the HTML portion of code, you could try it with javascript to decrypt the main portions of it client side live on the web and probably mobile. It would have to be fast enough that you would not lose performance. But if that's all it is then I don't see what's to stop someone from getting the content once it's decrypted, it just might make the standard file-save as feature of the browser non functional.

 

I wouldn't call this absolute web security. The user has the decryption key if they really want to get content and a decrypted version of that content in the browser. Also the terminology "absolute web security" would imply preventing attacks on the security of the site such as SQL injection and cross-site scripting - I don't see how it would prevent that at all.

[mmcs]

I agree with kahootbird. If you send the encryption key to the client is always possible to use it by looking at the decryption function result. The only utility I find for encrypting and sending info to client (without decrypting it) is to do stateless user information transference between requests securely.

[Pryme8]

awesome that's what I was wondering.

[Rudrabhoj Bhati]

On 3/4/2016 at 8:05 AM, WombatTurkey said:

 You can actually compile Javascript into native machine code utilizing V8 Snapshotting. 30% or so in loss of performance though Roger Wang has a great talk on youtube here.

 

 

Actually it is, 30% performance, not 30% performance loss, that means a 70% performance loss.

[WombatTurkey]

 

 

2 hours ago, Rudrabhoj Bhati said:

Actually it is, 30% performance, not 30% performance loss, that means a 70% performance loss.

Oh srry. I thought he meant 30% off, 70% seems a bit excessive / worth it.  But then again, I mean if your code is sacred, go for it lol

[Pryme8]

Haha in others words not applicable, unless you are like trying to hide information from Russian spy's or something.

[Rudrabhoj Bhati]

On 4/4/2016 at 2:09 PM, WombatTurkey said:

Oh srry. I thought he meant 30% off, 70% seems a bit excessive / worth it.  But then again, I mean if your code is sacred, go for it lol

The good thing is you can mix normal JS code with compiled JS code. So compile the code which isn't performance heavy, and just minify the performance heavy code.

Finally, in 21st century law protects your code more than anything else