Ask HN: Best practices to encrypt user data in transit? - swyx
======
bigiain
In transit? Unless you know why you need something else - just use TLS. If you
get to choose (as in - do not need to support WinXP/IE6/Android versions <
4.4) - select TLS1.2 with "safe/modern" cyphers.

Read the "website security" and "client server application security" sections
of this and choose the advice closest to your project needs:

[http://latacora.singles/2018/04/03/cryptographic-right-
answe...](http://latacora.singles/2018/04/03/cryptographic-right-answers.html)

and the discussion of that from last week:

[https://news.ycombinator.com/item?id=16748400](https://news.ycombinator.com/item?id=16748400)

The great advice there is "Let AWS AELB handle it for you".

------
swyx
I am a security newbie and I want to wise up a bit more about this. Honestly,
I know I can encrypt my user's data using some sort of key that only a user
will know, but how do I pick that key so it involves minimal friction for the
user? Since my server knows basically everything about the user when they are
authed in, does it just mean like a second clientside only password? Are there
libraries that are well known for this kind of thing? What backend
requirements do I need?

~~~
jlgaddis
You need to provide more details on what your goal is.

Right now, the best answer one can give you is "it depends".

------
kenjikato
This is kind of a loaded and open ended question. Without knowing something
about the architecture, or what your goals are it's hard to answer.

Is this for a web page or web app, native iOS/Android app, desktop app?

Is this for Client/Server or P2P?

Are you sending files that can be encrypted, or is it a real time connection
link of some sort?

In general, you can use TLS/SSL (as mentioned by @bigiain), but there are
other use cases where you might want to do something more specialized.

