Encrypt cookies in a browser

Encrypt cookies in a browser

In network applications, cookie is a very convenient way to store data. Because of this, you need to pay more attention to cookie security when developing WEB applications. There are many ways to ensure the security of cookies. Here we will discuss another method-browser-side cookie encryption.

Cookie attack

Cookies are stored on the client, usually a piece of text. If the computer is used by many people, other people will be able to see your cookie information and save the ID of the long-term session to forge your identity.

Cookies are often Set by the server through 'set-cookies' in the HTTP header and then sent to the client. In this way, it may be sniffed. You can use SSL/TLS to encrypt network packets to prevent sniffing. However, many websites, including Facebook, Only Use HTTPS links on the logon interface and then switch to the HTTP link. Tools like FireSheep are easy to use to sniff and hijack cookies.

There is also another common attack, cross-site scripting (XSS vulnerabilities) when some programs (usually Javascript) are implanted into the web page program, and then executed without the user's knowledge. When Javascript is executed in this environment, it can read the user's cookie information. This situation is hard to defend against. When a user accesses their website, the user is under full control of the website. You can only expect that website Y has enough security defense to prevent XSS attacks. The only way to completely prevent such attacks is to close Javascript script execution.

Browser-side Cookie Encryption

CompletelyPrivateFiles.com provides a network encryption solution. As part of their infrastructure, they have established a Javascript API that can perform 256-bit AES encryption on cookies. This API is free of charge and can be downloaded here.

This API assigns a random and dynamic seed-key to the user or program to generate a powerful 256-bit key. Then, the client uses this key to encrypt and decrypt cookies. This is a very small API that can be easily integrated into existing programs.

You need an API account to obtain the seed-key from the server in the program. After registration, you will get a sub-token, and then add the corresponding js library to start.

When you need to set a secure cookie, you only need to use

setSecureCookie(secret, cookieName, cookieVal);

Here, secret is the key you need to set, which can be the user name, timestamp, and so on.

When reading cookies:

var cookieVal = getSecureCookie(secret, cookieName);

The secret here must be the same as the secret value previously set.

Cookie Security

Taking into account what we said at the beginning of this article, in each case, the attacker only wants to obtain the cookie value. After we Encrypt this value, the value it obtains is meaningless.

In case someone has the permission to access local resources and can scan the cookie content, what he sees is garbled, which makes no sense.

Or you can send the encrypted cookie to the server through a form, and then the server uses the 'set-cookies' request to enable the client to Set the Cookie. This is also the encrypted content during transmission, there is no security issue when computing is transmitted over HTTP.

 

XSS attacks are difficult to defend against, because attackers have full control over the web page. If the attack is not very specific, they may only read some variables in the memory or read your cookies Based on the XSS vulnerability, however, to obtain valuable cookie information, you must first pass through the decryption.

 

It should be noted that encryption cannot organize malicious users to damage your cookie value, and the program cannot decrypt it. However, this does not damage the value of cookies.

User privacy

In addition to improving security, you can also use encrypted cookies to protect user privacy. As more and more user data is stored on the cloud and privacy issues become increasingly prominent, you may want to ensure that user information can only be seen by themselves.

The solution to this problem is to store sensitive information through encrypted cookies after the user logs on. The cookie has an expiration issue. You can encrypt the cookie and store it on the server. Then, you can use the 'set-cookie 'header to save the cookie for an indefinite period of time.

One example is online payment. transactions are stored on the network, but the actual bank account information is accessed through encrypted cookies. Store the cookie on the server and decrypt it locally. The bank information can be performed in the context of the program, but the user's privacy is also guaranteed.

Summary

Client-side cookie encryption is obvious for improving the security of network applications. Another idea is provided for the security design of your program. He is not only a security tool, but also a privacy protection tool, which is very important in network programming.