A new Quark Engine 4.0.0 is here with a major change by switching from RSA to ECDH data encryption.
Quark Engine is a core of our apps, a framework for easy to use and implement Browser to Java RPC with modern, fast and secure data request encryption no matter if standard HTTPs or WebSocket is used.
After releasing a new open-source Crypto API compatible WebAssembly based module, we made a switch from RSA based encryption key exchange to faster and more reliable ECDH which is fully compatible either with browser native Crypto API or our replacement WebAssembly module.
One might ask why we added encryption if there is a HTPPS. The answer is simple... It is common that companies are putting web servers behind proxies/load-balancers and setup HTTPS only between end user (browsers) and proxies itself, while connection between proxies and back-end servers are unencrypted leaving open doors for getting the request data simply by scanning the local network packets.
We will not go into the reasons why many are using such approach instead of encrypting the whole network path, however even so, keys can be cracked or stolen. Having additional level of encryption for sensitive API segments significantly increase security.
Not all the Quark requests are required to be double encrypted. Quark Engine allows you to fine-tune which server side controller and its methods are forced to be encrypted, or the front end developer can select which API channel will be additionally encrypted.
Our own experience showed that an additional layer of encryption in high load environments did not have a noticeable impact on performance. There were no significantly reduced response times. So, double encrypting as a default when using Quark Engine should not create any issues.
Loosing a few milliseconds in an exchange for an increased level of security is a very small price. Check out Quark Engine main web page for more details.