Hi,

I think you misunderstood me, I don't want to encrypt code or images/content so others can't steal it. I want to encrypt "user data", data that is written/uploaded by the user. I want to do this on the client so the server can't ever see what this data is. The way this should word is that I load the data in the browser and ask the user for the password (which never leaves the browser) to decrypt the data and present it.

So how should go about this? Some guidelines or best practices?

Any ideas how should I encrypt images? how do I store them?

Thank you.

Client side encryption with web technologies is a myth -- any code you send to the client is visible to the client -- PERIOD, therein if the security part isn't built into the browser (and even then being built on open standards) then you don't have security. ANYONE telling you otherwise doesn't know enough about how things work to be flapping their gums on the topic.

It's like the question that comes up on web development forums every two or three weeks -- well, it's a series of questions with some variations ranging from "how do I stop people from copying my images" or "copying my scripts" or "stealing my content?"

... and it all gets the same answer; if it's that damned important and you don't want anyone else to use it, DON'T PUT IT ONLINE. Everything from there is a matter of degree.

Even HTTPS is a house of cards, and anyone determined enough sitting "in the middle" can slap that aside faster than the majority of script kiddies can bypass NTFS "security". (and yes, I made air quotes with my fingers like Doctor Evil when I said "security"... "Laser")

The only thing that even comes close is using JavaScript, but again that code has to be sent, a common value has to be present client and server side for it to be decoded, meaning it doesn't actually do a blasted thing other than waste bandwidth. This is made WORSE by the fact that such scripttardery usually has zero graceful degradation for UA's that either don't have JS or are actively blocking it due to trust issues, bandwidth issues, etc...

.... and if this is a web based system, telling users with security or accessibility concerns to go plow themselves is NOT a recipe for success. ALWAYS have a scripting off graceful degradation plan in place if it is for anything important.

Just a question here. Won't HTTPS prevent man in the middle attacks, making the client side encryption redundant?

I guess you mean browser as client in this case ?

I use cryptojs to convert passwords and usernames so I don't know what they actually are before submitting them to my server. But I just did it because I was curious.

What are you trying to accomplish ? do you just want to have an encrypted transmission ? and no clue what's transmitted you can use cryptojs. (anonymous logins and such where the user still uses his password and emails) (hashing)

or you can use this as a security hash to verify the data was not altered during the transmission.

But as soon as you're talking about something like client to client communication a SSL certificate and a P2P connection should do the trick https://webrtc.org/

if you wanna store and reuse code maybe http://bitwiseshiftleft.github.io/sjcl/ does the trick.

You need to be more specific what you want. I just randomly assume usecases because you mentioned cryptojs.

Maybe you're talking about swift and android which changes the whole game because you have control over the client :)