Welcome to TightConnect, Practical Open-Source Security for Websites, Page 1

If there is a notice bar at the top of the window, please right-click on it and select "Allow Blocked Content".

Introduction

Many Websites contain public information (such as the description of a company) as well as private information (such as a user's financial information) that must be kept secret. The Webmaster has a choice of enabling Secure Sockets Layer (SSL) cryptographic transmission for part or all of the Website. Since SSL, as currently implemented, has several noticeable drawbacks (listed on page 3), many Webmasters and Web designers create their own techniques for hiding sensitive information. These techniques have their own drawbacks (they require extra design and debugging time, they may not be cryptographically secure, they may introduce their own response delays or intrusive user interaction mechanisms, and so forth).

There is clearly a need for a relatively simple implementation of selective cryptographic data transmission that is Open-Source, provably secure, uses standard technology easily and freely available at both the Webserver and user or browser computers, is usable on multiple computer platforms, and is reasonably small and fast.

Important Note

All known cryptographic-based secure communications protocols have weaknesses. History has shown that eventually all such systems are thoroughly broken. Although TightConnect makes use of current reliable cryptographic techniques, it has a finite but unknown lifespan. Any security technology like TightConnect must be changed and improved as new techniques become available.

A Diffie-Hellman Demonstration

The following two pages demonstrate the Diffie-Hellman protocol, which allows the user's browser and the Webserver for a visited Web page to construct a secret yet shared encryption key.

The wonderful thing about this key agreement protocol is that anyone may intercept both sides of the communications, yet will have no clue as to the value of the shared secret key. They also may have access to the full program source code or binary. They can only break security if they have hardware-level access to the Webserver or the user's computer or can redirect the communications through themselves (Man-In-The-Middle attack).

The browser-side software is written in JavaScript. The Webserver-side software is written in PHP.

The full TightConnect software includes authentication (secure identification of each party to the other), which prevents Man In The Middle (MITM) attacks and supports logging in to the Website. Each side uses the shared secret as the generator of the first of a series of unrelated keywords. Each keyword is used only once, to encrypt one set of data sent from one side to the other using a standard symmetric encryption algorithm.