Spectavi

ObscuroWeb — Encrypting Web Assets at Rest

Written by

Jimmy Hoke

in

Introduction

Encryption has become a vital tool for protecting data online. For protecting data in transit we have the now-ubiquitous HTTPS. For protecting data at rest we have a number of schemes for data encryption. However, for protecting web assets at rest there are very few options.

If one wants to serve data to a large number of clients, they generally have to use third-party services such as a CDN or a DDoS protection service. Cloud services are able to see the data that is being stored and served.

This poses a problem for anyone handling sensitive or confidential information. That is why we have developed a solution.

ObscuroWeb — Functional Overview

The person setting up the website encrypts the HTML files, as well as any other assets, and publishes them somewhere accessible on the web. Then, they create another page which contains a loader and decryption key. The loader will download, decrypt, and display the page. While the page and assets may be on a number of CDNs or cloud servers, the actual key is only accessible in a particular place. The key might also be fetched from an API or from the user’s own browser storage.

Potential Use Cases

An organization may host an internal newsletter with sensitive information on a server that resides on premises. With ObscuroWeb, they could move the newsletter to a cloud-based CDN and host only the loader and decryption key on the server. This would reduce server load and possibly speed up the page loads.

Someone dealing with sensitive records could store them in an S3 bucket, but restrict access using the loader and a system to lock the key behind some form of authentication.

Drawbacks and Limitations

  • Decryption can be slow.
  • Decryption might use more battery.
  • There is no effort made to verify assets that are downloaded, except that they were encrypted with the key used.
  • A lot of memory is used as multiple copies of the data must exist in full simultaneously.
  • If the key is publicly available, the privacy benefits are negligible.
  • Keys cannot be easily changed, as all assets have to be re-encrypted and re-uploaded. The loader must also be re-configured with the new key. This will almost inevitably cause a disruption in service.
  • Any attempts to apply compression to the files as they are being transferred (i.e. Brotli, GZip) will be either of no benefit or actively counterproductive.
  • Webpage loading is somewhat ugly, as there is a delay for content to load.
  • Websites using JavaScript will need to be redesigned somewhat, as updating an entire page at once will not run the scrips present on the new page.

Demo

A demonstration is available on JimmyNet: https://jimmyhoke.net/obscurowebdemo

Conclusion

ObscuroWeb shows how you can, with just a few lines of JavaScript and libsodium, dynamically load and decrypt web resources.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts