I’m working on a web application where I need to encrypt sensitive data on the client side before sending it to my server. The main idea is that users should have full control over their data encryption and the server shouldn’t be able to decrypt it.
I started looking into JavaScript crypto libraries but found some concerning articles suggesting that browser-based JavaScript encryption might not be secure enough for serious applications.
Then I thought about using Java Applets since my backend is already written in Java. But I’m worried about several issues:
- Java applets seem outdated and most developers avoid them.
- Users have to deal with Java installation and updates.
- Mobile devices don’t support Java plugins.
- Modern browsers often block Java by default.
Adobe Air is another option I’m considering, but it has its own problems:
- Requires separate installation.
- Mobile browser support seems questionable.
- Not sure if Adobe is still actively developing it.
What would you recommend for implementing client-side encryption? Are there other technologies I should consider? Is JavaScript really not viable for this use case?
The reasons I want client-side encryption are:
- Users need maximum privacy for their confidential information.
- Protection against database breaches.
- Defense against potential insider threats.
- Privacy is a key feature I want to offer.
java applets are dead - browsers dropped support years ago. javaScript crypto is actually solid now, especially with the native webcrypto api. yeah, there’s some risk, but it works well for most things if you don’t mess up the implementation.
JavaScript encryption gets a bad rap mostly from old discussions when the ecosystem sucked. The Web Crypto API changed everything - it gives you native browser crypto without sketchy third-party libraries. I’ve built several apps this way and the security’s solid when you don’t mess it up. Just nail your key management and know your threat model. Your other options are dead ends. Java applets need security exceptions nobody grants anymore, and Adobe Air died years ago. Go with JavaScript and Web Crypto API for modern browsers. Add progressive enhancement for legacy browsers if you must.
In my experience, especially in finance, JavaScript crypto libraries are a solid choice despite concerns. Many issues stem from outdated practices rather than the technology itself. Java Applets are obsolete and generally unsupported in modern browsers. Adobe Air is similarly outdated, which could lead to future challenges. I recommend using contemporary JavaScript libraries like the Web Crypto API or crypto-js, focusing on strong implementation practices. This way, you can leverage client-side encryption effectively while ensuring broad compatibility and maintaining user privacy.