Forum Discussion

Perry_Ler_71437's avatar
Perry_Ler_71437
Icon for Nimbostratus rankNimbostratus
Sep 21, 2010

irule to encrypt form submission

Hi

 

 

I am trying to figure out how can i do form element encryption when logging through the F5 edge gateway. Although the login page for the APM is already on HTTPS, my auditor insist that the id and password should be hash or encrypted before submitting from client browsers to F5 gateway. So anyone here has done anything like this?

 

 

I am trying to figure out how I can insert the JS into the login page of the APM, followed by encrypting the form elements before they are submitted to edge gateway. Anyone to guide in the direction?

 

 

Thanks

 

Perry

 

application delivery
dev
devops
iRules

2 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 01, 2010
    Hi Perry,

     

     

    To be honest, I haven't had enough time to play around with APM yet to answer your question. But why would an auditor ask to encrypt user-input on the client when it's already encrypted on the network using SSL/TSL? What advantage to you get for all of the additional overhead and complexity?

     

     

    Aaron
  • Joel_Moses's avatar
    Joel_Moses
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2010
    We must share the same auditor; failing to see the forest for the trees. Your auditor is asking for obscuration, not meaningful encryption; a determined attacker wouldn't be stymied by this at all.

     

     

    With the connection already covered between APM and the browser via TLS, the transaction is encrypted, period. An attacker who would be able to decrypt the SSL session won't be stymied by a JS-delivered form field encryption -- which, by the way, would need to be provided a key within the JS method with which to encrypt it. If the user's PC or SSL session is compromised, there's no security to be gained from a clientside field encryption.

     

     

    Good luck.