Dear all, thank you for providing advice and feedback. I agree that it is questionable to believe that a user puts more trust in the statement "we will encrypt your (sensitive) information on the DB on server" than in the statement "we will not misuse your data". Why should he believe that his data gets encrypted on the server if he has no trust in the service at all?
However, optional encrpytion on client side may have positive impact on trust. At least, by monitoring the server calls, the user may get the proof that no unencrypted, clear text data leaves his machine. On the other side, the critical part of this approach may be to convince him that the application really makes use of the explained encryption algorithm and does not simply send ROT-13 encoded data to the server. SSL is also fine for increasing trust in data transmission, but it does not influence the trust in the service provider (in this case, me) that sensitive data is not disclosed once stored to the server (intentionally or by chance, e.g. in the decribed example of db admins looking at the db or logs). Also, the issue with SSL is that my host, google app engine, does not support it with customised domain names, as far as I remember. I guess I will postpone this feature until more than just one user asks for it. Thanks! Sven -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
