RE: Encrypted URL

["Hephaestus" <hephaestus () phreaker net>]

> In many systems, users submit data to the web application. To do this, we
must
> either (a) send it as unencrypted data, (b) use a wellknown encryption
system
> such as HTTPS, or (c) invent our own encryption system, which must then be
> transmitted to the user (as JavaScript or similar code) in order to use
it. In
> all three cases, the user is fully aware of the method's all details, and
can
> write clients that will send in arbitrary malicious data to the web
application,
> using the method.

If the data has to be read *on the client side*, then encryption is just a
form
of obfuscation.  However, it is quite common that what is really going on is
that
the server is talking to itself *through* the client, to avoid storing lots
of
state on the server side.  In those cases, simple strong symmetric
encryption
works wonderfully, since transmitting information securely through a
potentially
insecure link is exactly what it was designed for.  In fact, it's even
easier
than the normal communications case, since your server is talking to itself,
greatly simplifying the key distribution problem :)

It actually suprises me somewhat that so many cookies on my machine (and
hidden
fields in forms ...), even from relatively high security sites, are in
plaintext,
despite the fact they are never manipulated client-side.  Saving CPU cycles,
I guess.