Feature Request: Add GPG encryption of callback data with OpenPGP.js
BoBeR182 opened this issue · 3 comments
Add GPG encryption of callback data with OpenPGP.js
This can be done with something similar to https://github.com/rs-loves-bugs/xsshunter/blob/main/probe.js#L28
Thanks for this suggestion. I already have it on my todo list, and I'm planning to add this to 4.2 release.
Would you expect the data to be encrypted at the client, and be decrypted by the application on callback?
Or would you expect the data to be stored encrypted and can be decrypted client side in the manage panel?
First option would be more easy todo, and still allows alerts, statistics and more but is it needed?
Second option would need a LOT of code changes for this to work, and breaks some big details about ezXSS, so I am trying to figure out if it is worth it. What would be the big benefit of this
I've taken my time to look into this issue.
As said before, there are 2 ways to implement this. I think the first method I suggested is not really improving much, so that is out of the way.
The second method could be cool, but I still wonder if it is worth the recoding of ezXSS.
Encrypting and storing the encrypted value would need a new table for encrypted reports. This probably also needs a new page for encrypted reports. These can then be clicked to only view the encrypted value, which can be decrypted locally to retrieve the JSON. Also an option could be make to decrypt and view the data within the ezXSS platform.
I tried some things out, but it looks like a lot of work for a little feature. I also don't believe you need to store this data encrypted, even tho it sounds good. In the regular situations I do not expect the database or the code to leak any data.
I will close this issue for now, since it is just not worth it. If this gets requested more in the future, I might think about it again, but for now this will not be included in the new ezXSS.
Thanks for the suggestion.