

Ask HN: is Client Side Encryption for payments secure? - sarhus

Stripe and BrainTree both provide Client Side Encryption.<p>However, after reading the Matasano article http://www.matasano.com/articles/javascript-cryptography I'm concerned about how secure client side encryption would be.<p>Any thoughts?
======
ritratt
I am no expert.

Client side encryption is unexplored. Secure crypto is possible only through
extensive peer review, which is missing in the case of client side encryption
using JS.

I think SSL/TLS is sufficient if implemented correctly. The only advantage
that client side encryption using js offers is that the contents are not known
to the server. Whereas in the case on SSL/TLS, the server basically has access
to all your encrypted data since they hold the keys. But I digress. Client
side encryption needs more R&D.

------
jtdowney
The purpose of client-side encryption in Braintree.js is to reduce the PCI
scope for the merchant and is not the only way the data is protected. Every
encrypted value is still sent over HTTPS to to the merchant's server and again
over HTTPS to Braintree itself. In this chain, however, the merchant will be
unable to decrypt the values submitted and can only pass them on to Braintree.

(Disclosure, I work for Braintree)

------
ig1
It's not client side (javascript) encryption, it's run over https.

