Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Nov 2, 2011

Base64 decode online — are you sure?

Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version.
tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.
Google's keyword tool reports 9,900 monthly searches for "base64 decode online". How many of these searches lead to disclosure of sensitive business information, or personal information (PII) to one of the Base64 decoding webpages? None of these searches are from IT-professionals trying to figure out what's wrong in a production system, right?

Top Google results for "base64 decode online" at time of writing

Doing a quick review of the top ten results of a Google search for base64 decode online I found that none of the online base64 decoders offered secure communications to the server by default (i.e. no HTTPS). That means that whatever data you're sending over the wire is not protected by end-to-end encryption, so you cannot guarantee the confidentiality while it's in transit. Note also that it's no longer Base64 encoded when you get the response back, then it's human readable and can be easily recognized as sensitive information.

The Base64 decoding websites contain no information on whether they might use the data for any purpose, or if the data you send to them is stored in any way on the server(s). So you have no guarantees for the information's confidentiality on the server either. Unless you check specifically (every time!), you have no idea where the sites' web servers are located. In effect you might be shipping company data out of the country. Explain that to the compliance department...

What should you do?
You should install an application locally that lets you decode the data. Web application security proxies such as Burp and Fiddler support Base64 encoding/decoding, and they're also great debugging tools for web applications. However, they might need administrator rights to install properly.

TransformTool is an encoding/decoding tool that supports Base64 (disclaimer: I wrote it). It installs locally and runs with restricted privileges. The installation is simple, and does not require administrator privileges on the computer.

So, find a trustworthy tool that installs locally on your computer. Use that for your Base64 decoding needs instead of sharing the data on the Internet!


  1. I don't know about Fiddler, but Burp Suite definitely does not require administrator rights to install (it's more or less just a .jar file that you run).

  2. Ok, thanks! As you can see from my previous post, I've uninstalled Java. So I wouldn't know. :)

  3. Most Linux distributions comes preinstalled with the "base64" commandline tool. It's even part of the Linux in your browser distribution at http://bellard.org/jslinux/. This means you can do fun things like pasting "c2VjcmV0Cg==" into the clipboard and issuing the command "base64 -d /dev/clipboard".

    Since it runs entirely within a temporary virtual machine executing locally, no content sent anywhere or is stored anywhere. If you're not willing to trust that Bellard hasn't added any malicious code to the JSLinux you can disable the network after loading up the page.

  4. Cool! Hadn't seen that one. I'm not sure disabling the network would be a viable option, wouldn't that break the Facebook updates? :)

    I guess Cygwin includes the base64 command line tool too, which would be useful for working with (large) files on a Windoze installation.

    Running Linux in the browser made me, well, miss Linux... Thanks a lot.

  5. FYI: There is one online Base64 decoder that does offer secure SSL secure transfer and a decent privacy policy. Check out this one:

    Secure Base64 Decoder

    1. Hi, thanks for the tip!

      Still, I'll have to stick with my recommendation of finding a tool that can do this locally for you. If you're working with PII or other sensitive data it's not a great idea to post it to some site abroad. :)


Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2015. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts