Some serious words before you continue reading!
NoSSL is not a replacement for SSL certificates and other means to protect your website against intrusion. It is only a tool to enhance your website’s security. Also, there may be flaws in the concept or in the code that we do not know about yet, which may compromise the security of NoSSL. We strongly discourage the use of NoSSL as the only protection for websites with highly confidential informations such as patient data, bank data, etc! If you have any concerns, please let us know!
The technology of NoSSL
NoSSL was developed, because many websites do not use any kind of protection for their forms (e. g. login form, contact form, etc). Also, the high cost and questionable security of commercially available SSL certificates was also an issue to develop NoSSL.
NoSSL uses asymmetric and symmetric encryption between client and server. After the first loading of the page has completed, the client requests the server public RSA key via an AJAX-handshake. The client generates a random 256 bit AES-key, encrypts it with the RSA key and sends it to server, which responds with a NoSSL session key. The client and server store the AES key on both sides for the session. All messages sent between client and server are formatted (“armored”) in a NoSSL-specific text-readable format. Each message also contains an encrypted unique message ID, thus NoSSL protects against the reuse of NoSSL messages by a third party (e. g. Man-in-the-middle). Also, the time after which a message is voided can be set (e. g. a message time-out after 1 minute after which the message is not accepted any more from the other party).
Please note: in the current release 1.1, only the encryption from client to server is supported as there was no requests from developers for an encryption from server to client!
Cryptographic analysis of NoSSL
Libraries / scripts used:
|PHP||AES implementation in PHP, (c) Chris Veness 2005-2011||PHPSecLib|
Critical analysis: The AES and RSA implementations may be flawed and pose a security threat.
Critical analysis: The window.crypto functions will be pretty good. However, many (older and mobile) browsers do not support this functionality. In these, the implemented Fortuna function may be flawed.
NoSSL will pretty much provide enough security for all average websites, which just have a simple login, or a contact form. NoSSL should not be used for systems, which transmit critical data like credit card numbers, banking information or patient data. The current prerelease version must not be used in any productive system.