Hi!
Planning to start building a chatting system now.
Preferably I’d like the messages in the database table to be encrypted.
Can someone push me in the right direction with using the login session / login password to decrypt the user’s messages? Or maybe there is a better way?
Hi @htatd ,
This is very long one might require explanation so I recommend you to review the examples made with Diffie-hellman.
Ok thank you, will research on that. Do you think this can be made out of the box with Wappler or will I need to use custom code?
Diffie-hellman is already not included in wappler (maybe @patrick can add it in the future, I don’t know). But if you want to use Diffie-hellman , yes you will have to write some code.
So I did some research since yesterday and it turns out that I don’t need end-to-end encryption.
Slack for example uses only “encryption in transit and at data rest” which apparently the digitalocean managed database does too, so I’m all set with that.
What bothers me though is that I don’t want to see personally the messaging data of users when I access the database. How would Slack handle that with all of their developers and employees with access to the databse? From a privacy point of view.
You need to use end-to-end encryption to protect against attacks like man in the middle.
This is a very broad subject and it would be wrong to jump to conclusions.
I understand, Slack doesn’t use end-to-end encryption though. So I thought maybe to go that way.
I’m also looking at using a service like https://virgilsecurity.com, will look if I’ll be able to implement it with Wappler.
encrypting the data within the database is easy, simply use Encrypt with Password when saving it and Decrypt with password when retrieving and passing back to the client end. That way the message will be stored encrypted. Not 100% secure but keeps prying eyes away.
With “encryption in transit and at data rest” just means you use https and a database that stores its data encrypted on disk, you don’t have to do anything within your code for that. Normally the encryption on the database is based on the database user, it uses the database users password to encrypt and decrypt the data, this happens behind the scene and you don’t have to do the encryption yourself.
