[Cryptography] [cryptography] Browser JS (client side) crypto FUD
Kristian Gjøsteen
kristian.gjosteen at math.ntnu.no
Fri Aug 1 03:05:41 EDT 2014
29. juli 2014 kl. 01:00 skrev Jeffrey Goldberg <jeffrey at goldmark.org>:
> I work for a company that has tried very hard to do cryptography in JS right.
Cryptography in JavaScript is obviously useful, but unnecessarily hard to do right.
There are applications that must be able to do proper crypto and that you want to run in the browser.
One example is remote voting, where fancy crypto must happen on the client. You can’t require people to install purpose-built applications, so you write the encryption code in JavaScript and deploy it via a web site. In principle, you can also distribute dedicated voting applications, or a browser extension that ignores the election web site’s crypto code and uses a local copy instead. This would allow users who care to increase their security.
There are applications that could use the equivalent of crypto in JavaScript. OpenID-like schemes based on passwords could benefit from client-side cryptography. Again, dedicated applications or browser extensions could provide increased security for users who care.
In a perfect world, browsers would expose a standard, useful API of cryptographic and mathematical primitives, which would make it much easier to deploy JavaScript cryptography. But that’s unlikely to happen. So we’ll continue to see people messing up random number generation etc.
People will obviously continue to apply JavaScript cryptography where it doesn't make sense.
--
Kristian Gjøsteen
More information about the cryptography
mailing list