Why Don’t You Use Public Key Encryption To Protect Your Data Sent From the Browser?

I recently asked a software developer why they didn’t encrypt sensitive data back to the back-end application. “Well, we use https, so it’s okay”. “But, before we get to the tunnel, and after it, anyone and anything can read the data. How can you know it is a trusted API you are dealing with?”. “Well, it’s not my problem, it’s up to https to do that”. Unfortunately we rely too much on machine-to-machine tunnels such as with SSL/TLS. These do not protect data from a malicious proxy running on the client machine or on the server.

“Why don’t you encrypt data in the browser?”, I then said. “But it will take too long!”, “Is a few thousandths of second a long time?”, “No, but we support mobile phones, and it’s not going to work”, So I demo’ed my Samsung S9 phone encrypting and decrypting in 27 ms using 1,024-bit RSA:

So while the key pair generation is certainly a time consuming process, the actual encryption and decryption in the browser (or on the server) can be done fairly quickly, and will thus protect the data from its source to the back-end application. No other entity on the way will then be able to read the…