Forum Discussion
Joel_Moses
Oct 01, 2010Nimbostratus
We must share the same auditor; failing to see the forest for the trees. Your auditor is asking for obscuration, not meaningful encryption; a determined attacker wouldn't be stymied by this at all.
With the connection already covered between APM and the browser via TLS, the transaction is encrypted, period. An attacker who would be able to decrypt the SSL session won't be stymied by a JS-delivered form field encryption -- which, by the way, would need to be provided a key within the JS method with which to encrypt it. If the user's PC or SSL session is compromised, there's no security to be gained from a clientside field encryption.
Good luck.