Hey folks, I'm trying to wrap my head around something. I work at a SaaS company that really relies on integrations with a huge UK-based partner. Recently, they added client-side encryption to some of their frontend API endpoints without giving us a heads-up, which caused our integration to fall apart. Thankfully, I managed to reverse engineer their approach within an hour after the issue popped up.
This has me questioning the reasoning behind their encryption. They started encrypting sensitive form data like registration numbers and passwords before the data gets sent to their backend. I dove into their heavily obfuscated JavaScript, uncovered the encryption method, and even found their encryption key in the headers of an API call when the site loads. I quickly implemented a fix on our end using their encryption method.
But honestly, what's the security benefit here? SSL already encrypts everything during transmission, and if they were worried about compromised browsers, attackers can still access the form values or figure out the encryption key just like I did. Isn't this just security through obscurity? I'd expect better from a company with a big development team. What's the real purpose here?
5 Answers
We do client-side encryption to protect our intellectual property. I get that anything sent to the client can be accessed, but we aim to make it harder than just checking network requests or local storage in dev tools.
It seems like they just want to complicate things for anyone not in the know. It’s less about actual security since, like you mentioned, TLS covers that. They probably wanted to discourage unauthorized integrations like yours.
One potential motive could be compliance. By implementing client-side encryption, they can tackle future regulations and manage SSL termination better without handling sensitive data between their edge node and internal systems. Good idea? Not really, but it checks a lot of compliance boxes.
Totally! It's all about layering security. They could've made it even tougher to retrieve that secret key, though. It’s kind of a shift towards adding friction rather than having solid security in place.
From what I gather, they're really trying to prevent usage like yours. This isn't intended to be a public API, and they likely want to keep it that way. The client-side encryption adds a layer of difficulty for using their frontend API as if it's public, even though it isn’t foolproof.
Exactly! It’s frustrating since we were actively partnering with them while they set up our integration. Seems a bit contradictory.
That makes sense! But it’s puzzling because our integration was officially sanctioned; they even helped us set it up. They might have overlooked the fact that partners are using their API too.