How to create encrypted requirements in the production environment?

Asked

Viewed 67 times

-1

I was analyzing a frontend application written in symfony (PHP), and when opening its requestes I came across the contents of this image:

inserir a descrição da imagem aqui

I found it interesting because the request name is encrypted as well as the url, body, header: inserir a descrição da imagem aqui

My question is simple, this setting is something done in backend, frontend or server? is some library? would have some example?

I believe it is important to everyone, because I am developing an application in React and I would like to apply this concept.

1 answer

0

I don’t understand, where the encryption is, from the images, you made a request to http://xxx.xxx.xxx.xxx:8000/Orders/create/modules/2 and this URL has been converted to http://xxx.xxx.xxx.xxx:8000/_wdt/b5c7c1 apparently I didn’t see any encryption at this point.

Simply, this is done in the translation, from the AMIGAVEL URL to the traditional one, this name, is the beginning of the hash, used to identify the request, from the gzip/deflate itself so that there is an encryption the 2 interlocutors must know how to encrypt and decrypt the message, that is, to traffic the encrypted data, both the front end and the back end have to be prepared to create the encrypted string, and decrypt it to be able to use.

It is not a fast process, nor is it extremely simple, since it involves mathematical concepts of private keys, public and encryption algorithms, and both to encrypt and to decrypt requires a certain computational power (cost of the algorithm). And of course, you can be doing this in layers, because if you use the HTTPS it itself already makes this encryption between s 2 points, that is, if the message between the servers is intercepted or sniffada for example it is encrypted by the protocol itself.

Everything in the HTTPS message is encrypted, including headers, requests and replies. And yet, you can still add an extra layer of security by hashing data, for example, for passwords, to validate binary file contents, among others, where the path is only validation (for example the password, whenever it is generated, the same hash is generated, but from the hash it is not possible to know the original data). When it is necessary to convert the text back, oh yes, we have cryptography, we can in a very simple way (wrong, as it were, but it will elucidate what I say) say that when we convert a text using Base64 as in:

Texto original: Olá, mundo!
Texto convertido para Base64: T2zDoSwgbXVuZG8h

This alone is an encryption, since we can decode and get back the original data, however, we are an extremely simple algorithm for current standards, it is totally unsafe to be used for the purpose of encrypting something so said it is wrong to say that it is a cryptographic algorithm, specific algorithms for encryption like the RSA.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.