Francisco del Aguila - 2016-10-05 16:15:23 - In reply to message 1 from AVAS Technology
You're right: This tool is not intended to replace SSL/TLS.
It's just a tool to avoid plain-text communications as an efficient defence against snnifers (remember that RSA-private key is NEVER transmitted, and AES-256 key is RSA encrypted and has short life). It can be valid also against XSS attacks if the calling script only accepts encoded forms (better than use tokens is to convert all data in a token itself).
Just another stone on hackers's way. Remember that SSL/TLS can be attacked: https://drownattack.com, Crime SSL/TLS, HEIST... and future ones.