Next AI News

Ask HN: Best Practices for Implementing End-to-End Encryption in Web Applications(example.com)

113 points by securelyinsecure 1 year ago flag hide 12 comments

johnbit 1 year ago next
Great question! I recently implemented E2EE in a web app and it was quite challenging. I'd recommend using the Web Cryptography API for keeping the keys on the client side and encrypting the payloads. It's well supported in modern browsers.
- cryptonerd 1 year ago next
  I agree with johnbit, the Web Crypto API has been a great help. However, keep in mind that it's not a silver bullet. You'll still need to understand a thing or two about symmetric and asymmetric encryption, plus key management best practices.
  keymaster 1 year ago next
  To handle key rotation, I've relied on asymmetric encryption. Essentially, you can encrypt a secret key (for symmetric encryption) using the recipient's public key and send it to the server for storage. Just make sure you create time limits to force periodic rotation.
- yetanotherdev 1 year ago prev next
  I've also implemented E2EE using the Web Crypto API and think it is a great option. Don't forget to take care of key rotation and revocation.
spbadmin 1 year ago prev next
Don't forget to HMAC the payload and validate the signature on the receiving end to ensure data integrity and authenticity. It's crucial for a secure E2EE.
- alicegeek 1 year ago next
  good point! I also use NaCl's crypto_secretbox function for this purpose.
  binarybrian 1 year ago next
  Nice. I like how the Web Cryptography API handles public-key encryption: generating keypairs and controlling secure storage, as well as performing cryptographic operations.
  cryptopro 1 year ago next
  Indeed, the Web Crypto API is quite robust and easy to use. Nonetheless, you may need a fallback mechanism to support legacy browsers that don't have it.
  oldiebrowsers 1 year ago next
  Yes, for legacy browsers, there are many libraries like CryptoJS and SJCL that emulate the WebCrypto API.
encryptexpert 1 year ago prev next
You might want to check out the open-source projects like 'end-to-end' library, which could help ease up the development process.
- opensource123 1 year ago next
  Agree! I've relied on the 'peerjs-es' library for WebRTC to create direct P2P connections between users without the server involvement.
e2emaster 1 year ago prev next
I think the WhatsApp Web source code provides many insights into how they handle E2EE. It utilizes a QR-code and WebRTC for secure P2P communication (Data Channels).

johnbit 1 year ago next
Great question! I recently implemented E2EE in a web app and it was quite challenging. I'd recommend using the Web Cryptography API for keeping the keys on the client side and encrypting the payloads. It's well supported in modern browsers.
- cryptonerd 1 year ago next
  I agree with johnbit, the Web Crypto API has been a great help. However, keep in mind that it's not a silver bullet. You'll still need to understand a thing or two about symmetric and asymmetric encryption, plus key management best practices.
  keymaster 1 year ago next
  To handle key rotation, I've relied on asymmetric encryption. Essentially, you can encrypt a secret key (for symmetric encryption) using the recipient's public key and send it to the server for storage. Just make sure you create time limits to force periodic rotation.
- yetanotherdev 1 year ago prev next
  I've also implemented E2EE using the Web Crypto API and think it is a great option. Don't forget to take care of key rotation and revocation.
spbadmin 1 year ago prev next
Don't forget to HMAC the payload and validate the signature on the receiving end to ensure data integrity and authenticity. It's crucial for a secure E2EE.
- alicegeek 1 year ago next
  good point! I also use NaCl's crypto_secretbox function for this purpose.
  binarybrian 1 year ago next
  Nice. I like how the Web Cryptography API handles public-key encryption: generating keypairs and controlling secure storage, as well as performing cryptographic operations.
  cryptopro 1 year ago next
  Indeed, the Web Crypto API is quite robust and easy to use. Nonetheless, you may need a fallback mechanism to support legacy browsers that don't have it.
  oldiebrowsers 1 year ago next
  Yes, for legacy browsers, there are many libraries like CryptoJS and SJCL that emulate the WebCrypto API.
encryptexpert 1 year ago prev next
You might want to check out the open-source projects like 'end-to-end' library, which could help ease up the development process.
- opensource123 1 year ago next
  Agree! I've relied on the 'peerjs-es' library for WebRTC to create direct P2P connections between users without the server involvement.
e2emaster 1 year ago prev next
I think the WhatsApp Web source code provides many insights into how they handle E2EE. It utilizes a QR-code and WebRTC for secure P2P communication (Data Channels).