
The Curious Case of WebCrypto Diffie-Hellman on Firefox - CiPHPerCoder
https://blog.intothesymmetry.com/2020/01/the-curious-case-of-webcrypto-diffie.html
======
CiPHPerCoder
The TL;DR by Ryan Castellucci is excellent:
[https://twitter.com/ryancdotorg/status/1214578765998645249](https://twitter.com/ryancdotorg/status/1214578765998645249)

> Neat attack. TL;DR: A "non-exportable" finite field Diffie-Hellman private
> key can be extracted because the key object isn't bound to specific group
> parameters. XSS the site, do some operations with deliberately weak group
> parameters, solve for key.

~~~
ecesena
The author found the bug inspired by:
[https://github.com/google/wycheproof](https://github.com/google/wycheproof)

(it's in the thread of the original tweet, though the thread is in Italian:
[https://twitter.com/asanso/status/1214450115777351681](https://twitter.com/asanso/status/1214450115777351681))

------
austincheney
In case anybody is curious about DH it is a cryptographic algorithm for key
exchange:
[https://en.m.wikipedia.org/wiki/Diffie–Hellman_key_exchange](https://en.m.wikipedia.org/wiki/Diffie–Hellman_key_exchange)

The basic idea is that public keys need to be exchanged to perform encryption
from one end and decryption at another end. An example is encrypting with the
remote users public key and they decrypt with their stored private key. It’s
complicated though because you don’t want to exchange the public keys without
restrictions where they can be obtained by unauthorized parties or
disseminated without your consent. You also may not trust the distant end.
That is why you have stuff like DH and key escrow.

~~~
tialaramex
Yours is at best a terribly muddled description. Public keys are _public_ and
we don't care if they're "Obtained by unauthorized parties" or "Disseminaated
without your consent". That's what _public_ means.

The specific issue here is that the WebCrypto API is supposed to be protected
against XSS. So if your code has a private key P and it turns out a bug in
your site means bad guys can run whatever they want inside the VM where P is
stored, they can't discover P. A bug in Firefox meant that it was actually
possible to modify P and then do operations which have the effect of revealing
it without undoing the virtual machine's protection for the actual value of P.

It's maybe hard to come up with concrete scenarios where this is a problem
(which will be why it was so easy for Firefox to just remove it from the
current version) but on the other hand it's also really hard to come up with
concrete scenarios where WebCrypto was the Right Thing anyway so this is
certainly not a point against WebCrypto sceptics like HN's Thomas Ptacek.

