A demo/proof of concept for encrypting web pages with JS.
Heres a diagram of how this works:
Server sends Login Page with JS --> Client sends username + hashed password --> Server checks hash
If password is correct:
Server saves login timestamp --> Server encrypts data (ex. admin page) with password as key --> Client recives and decrypts data with password
Post data:
Client sends any post data encrypted with password + timestamp encrypted with password --> Server decrypts post data --> Server checks timestamp to prevent replay attacks --> Server updates last post timestamp
npm install
node server.js
go to http://127.0.0.1:3000/
login with username: user1
password: testpass
run mitm or other interception to test encryption
use test post to check encryption after login
Most people will see this project and think, doesn't HTTPS already stop the MITM issue? Yes, HTTPS does encrypt web pages and it does it better. However, there are still sites using unencrypted HTTP. I'm refering to local login pages, like router admin pages or printer login pages. Many of these are using pain HTTP or self signed HTTPS certificates, which are vulnerable to MITM attacks.
This implementation will help protect against some forms of MITM:
It will prevent attackers from seeing the data sent unless they know the clients password.
If done right it can also encrypt HTML data.
By checking timestamp of each POST message, replay attacks are mitigated.
The biggest issue with plain HTTP is an attackers ability to completely modify the data. By redirecting to a phishing site, removing the encryption JS, or injecting their own JS, the attacker can easily bypass the encryption protocol. It also doesn't encrypt data during signup/registration, as there is no pre shared key.
HTTPS should always be preffered over this method. It's able to stop all the MITM methods I mentioned above and its already proven technology. But when HTTPS is not an option, I think this is better than nothing.