this post was submitted on 19 Jan 2024
10 points (72.7% liked)

Web Development

3440 readers
12 users here now

Welcome to the web development community! This is a place to post, discuss, get help about, etc. anything related to web development

What is web development?

Web development is the process of creating websites or web applications

Rules/Guidelines

Related Communities

Wormhole

Some webdev blogsNot sure what to post in here? Want some web development related things to read?

Heres a couple blogs that have web development related content

CreditsIcon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
snowe
erlingur
Ategon
10
End-To-End Encrypted (EE2E) Websites? (lemmy.world)
submitted 10 months ago by [email protected] to c/webdev
18 comments fedilink hide all child comments
 

Is there a way to develop and website using JS (and perhaps PHP) to create an E2EE website. Were all packets sent between the server and the userw device are E2EE, wrapped in a layer of encryption?

I know there is HTTPS but I am looking for something stronger than HTTPS.

By using some JS or PHP E2EE package, would I have to write or structure the website code very differently than you normally would?

you are viewing a single comment's thread
view the rest of the comments
[โ€“] jeremyparker 1 points 10 months ago (1 children)

I had no idea mega did that, that's awesome. The whole idea that the server doesn't have the key, like -- it's so simple, but it never occurred to me. Why would the server ever need to decrypt it?

This shit is wrinkling my brain.

And I'm even more mad at every cloud provider. Why you decrypting my shit, Google?

So I guess the question is, for your site idea, where does the encryption start? Like, you want the text on the page and the form data encrypted, but, is the text on the form's submit button encrypted? If it is, your user has to be a developer to some extent, or you needs to build like a WordPress style wysiwyg editor that also encrypts everything -- and, like, that's kinda cool, but actually writing that code sounds like torture. I'd rather spend all that development time giving myself papercuts and squirting lemon juice into them.

So an encryption "barrier" has to exist. The Mega server doesn't decrypt your file, but it knows that it's getting a file of some kind for you, and it knows the shape of the data. It's not completely ignorant -- and, like the WordPress problem above, you could prevent that -- keep the server from even knowing what it's doing -- again, kinda cool, but it sounds like torture to actually write.

So the question is, where are you putting that barrier? It seems like, wherever that barrier is, is also how deep a non-developer user can get into using it. To put that another easy: the more of the site's content that's encrypted, the more development skills the user has to have.

Or I'm just misunderstanding your project entirely, which I will attribute to the fact that it's 1am.

[โ€“] [email protected] 1 points 10 months ago

Mega uses your account password to decrypt a master key, they only store the encrypted master key on the servers. And all the files you upload and download are decrypted with the same key, and the password never leaves your browser. Thus Mega doesn't have any visibility in the contents of the files and doesn't have the ability to decrypt the key nor the files.

It's fully transparent to the user, no skills required. It pretty much just works. The only downside is if you lose your password your files are gone, there's no password recovery. And of course if your password leaks, 2FA doesn't get you very far.

And it's an extremely bad customer experience to be unable to restore your user's files, so it doesn't get used that often because users don't care. They trust the company and don't care how safe or unsafe it is, but they want their files to be there without hassles.