As an experiment I am creating a website in ruby on rails that has user accounts, and stores some information in a mysql database. The application for this could be anything from a cook book to a social network site, but this is just an experiment at the moment.

The key idea is I want to make it so it is not possible for the database owner to read the data in the database, only the users of the site will, the idea is outlined below

• Hash of user password sent to server to be stored, encrypted client side by javascript so only user knows password

• Use enters data on client side, and is encrypted with AES or Blowfish, using javascript, and stored in database, only use can decrypt

• When user requests data, it is sent from server to client, then dycrypted

The problem I have at the moment is how to store the users password securely on their machine so they do not have to keep typing it in.


I think this would be a brilliant tool, especially in this time of data loss and selling. It would be great for the users of say facebook, if they knew facebook operators were not reading their data, or so governments could not force a company to hand over all their data, and would have to get indevidual warrants for each person.

I do realise that it would be possible for the company to change their code to make it so data is not sent encrypted, and this system would not stop agains corrupt companies, unless it was a plugin for firefox or something. However most companies seperate database and development, so this would make it much harder for an individual at a company to look at users data. This however would be quickly spotted by the company, or could be monitered by external parties, as they would notice the html / javascript change.

Thanks for sharing your thoughts with us.