1. Home
2. Questions
3. AI Assist Labs
4. Tags
5. Challenges
6. Chat
7. Articles
8. Users
9. Companies
11. Communities for your favorite technologies. Explore all Collectives
Stack Internal

Stack Overflow for Teams is now called Stack Internal. Bring the best of human thought and AI automation together at your work.
Try for free Learn more
Bring the best of human thought and AI automation together at your work. Learn more

WebcryptoAPI - secure or not?

Asked 13 years, 2 months ago

Viewed 1k times

This is about the new W3 WebcryptoAPI draft standard - http://www.w3.org/2012/webcrypto/WebCryptoAPI/

Here is a post by one of it's authors

https://plus.google.com/u/0/105761279104103278252/posts/CSwVZ1RUijo

It says its in part trying to change the "Javascript Cryptography Considered Hamrful" problem. However if you look at the "Javascript Cryptography Considered Hamrful" article - http://www.matasano.com/articles/javascript-cryptography/ - it seems as if most of the problems still remain unsolved. The only problem solved is that you won't have hand coded cryptographic functions in javascript - these will be provided by the browser. However, the remaining problems still remain.

Your thoughts?

Improve this question

asked Sep 25, 2012 at 17:39

user93353's user avatar

user93353

14.1k8 gold badges64 silver badges128 bronze badges

More something for the guys at crypto. After a short look and seeing a complete and utter lack of key management procedures, I agree with your assessment. The only advantage I see is the access to a platform RNG, which is required to do any form of crypto anyway.

Maarten Bodewes
– Maarten Bodewes

2012年09月26日 19:55:09 +00:00
Commented Sep 26, 2012 at 19:55
@owlstead: Is there a way to move my question to crypto

user93353
– user93353

2012年09月27日 04:47:37 +00:00
Commented Sep 27, 2012 at 4:47

Add a comment |

1 Answer 1

Sorted by: Reset to default

Javascript crypto has two main problems:

There is functionality that can't be written well in pure javascript. Namely a PRNG and side channel free operations. WebCryptoAPI solves these issues. So it's certainly a significant step forward.
If the server becomes malicious it can serve you evil javascript. With the current architecture it's very unlikely that you catch him. WebCryptoAPI does not solve this issue.

This is a difficult problem for which we have no good solution yet. There are some approaches to solving this problem.
For example in the article Verifiable Logs: Solving The "Cryptocat Problem" Ben Laurie suggests that the content the webserver severs could be logged with some notaries making it possible to catch evil servers. Unfortunately this isn't easy to deploy.

Improve this answer

answered Oct 1, 2012 at 16:13

CodesInChaos's user avatar

CodesInChaos

109k26 gold badges224 silver badges267 bronze badges

Comments

Your Answer

Draft saved

Draft discarded

Sign up or log in

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

lang-js

CollectivesTM on Stack Overflow

WebcryptoAPI - secure or not?

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Hot Network Questions

CollectivesTM on Stack Overflow

1 Answer 1

Comments

Your Answer

Sign up or log in

Post as a guest

Post as a guest

Related