We have developed a code snippet to counter the issue of man-in-middle (us) who are able to "see" all data. This is how it works:
- Client and server use public-private key pairs to communicate with each other
- Using public-private key pairs adds extra level of encryption (on top of HTTPS), which we cannot decrypt
- This method is good for AJAX type of requests
- When the server loads the page it generates a public-private key pair for the request
- The private key is saved in SESSION on the server-side
- The public key is sent over to the client
- On page-load client generates its own public-private key page and sends the public key to the server
- Subsequent data sent from the client (AJAX) is encrypted by the public key sent by the server
- Encrypted data is decrypted by the server using the respective private key
- The response is encrypted by the public key sent by the client
- Encrypted data is decrypted by the client by using its private key
- This approach is good for AJAX request and will not work for complete page load (page navigation) as the browser will not be able to decrypt the data