A couple of days ago, Nicholas Zakas wrote an article about secure client side storage. I think the scenario he mentioned (working from a cyber cafe) is not unsafe by nature, and could be well handled by an application. Nonetheless, client side storage such as
localStorage still is subject to DNS spoofing attacks (which is the main security issue, I think). To handle this, one needs to encrypt the keys and values in the store.
So here you go:
dojox.storage.encrypted, a Blowfish encrypted storage. It sits on top of
dojox.storage, and you get all the dojo storage manager goodness, mainly the automatic selection of the best storage provider available. It exposes the complete API that
dojox.storage does. If an attacker gains access to the storage area, he can still nuke the storage, but the data found within will be useless.
I’m not completely happy with it’s architecture, and I didn’t have the time yet to fully test it with all providers, but it works pretty well with
localStorage and the performance is not too bad. If you have a spare minute and are interested, feel free to to test it yourself (ah I know, you don’t have the time yourself, but I’d be thankful!)…
Just use it as you would use dojox.storage, except that you need to set your passphrase before you start working with the storage:
dojo.require("dojox.storage.encrypted"); var sto = dojox.storage.encrypted; sto.setPassphrase("my super secret passphrase"); sto.put('key','value'); var value = sto.get('key');
dojox.encoding.crypto.Blowfish but that’s been in dojo for ages, so no worries.
To use it, just put the
encrypted.js file in your dojox/storage directory.