
FileKit: An open source end-to-end encrypted cloud storage service in JavaScript - tux3
https://github.com/TankerHQ/sdk-js/tree/master/packages/filekit
======
wglb
Doing cryptography in the browser is a bad idea:
[https://tonyarcieri.com/whats-wrong-with-
webcrypto](https://tonyarcieri.com/whats-wrong-with-webcrypto)

Also [https://www.nccgroup.trust/us/about-us/newsroom-and-
events/b...](https://www.nccgroup.trust/us/about-us/newsroom-and-
events/blog/2011/august/javascript-cryptography-considered-harmful/)

~~~
tzs
The author of that second one is a frequent HN commentator. Let me attempt to
summon him to this thread to see if he has anything more to say, since that
was written in 2011 so might be a bit out date.

Begin summoning ritual...

• It's easy to secure email with GPG.

• DNSSEC is a state of the art design that you should adopt on your website as
soon as possible, to make up for the deficiencies of TLS.

• You should use /dev/random for most cryptographic random number generation
on Linux. /dev/urandom is only good for things where security doesn't matter.

...end summoning ritual.

~~~
tptacek
I only have an alert set up on DNSSEC, for what it's worth. I won't notice
most GPG or /dev/random arguments.

(Thankfully, the /dev/random debate is moribund).

~~~
belenos46
I'm just tickled pink that it actually worked. It made my workday.

------
Sephr
This doesn't seem to be doing downloading in a streaming manner, as indicated
by its use of my old "file-saver"[1] library. Edit: Originally thought this
also did encryption without streaming.

Nowadays I would recommend using Penumbra[2] (another library I've worked on)
with StreamSaver.js for streaming file encryption/decryption/downloading.

1\.
[https://github.com/eligrey/FileSaver.js](https://github.com/eligrey/FileSaver.js)

2\. [https://github.com/transcend-io/penumbra](https://github.com/transcend-
io/penumbra)

~~~
blastrock
The encryption/upload _is_ streamed, but the download/decryption is not, we
will work on that. Thanks for the link!

------
IloveHN84
But how safe is cryptography in JavaScript, knowingly that the language allows
funny mathematics and comparison results?

~~~
jarfil
JavaScript itself is quite safe, more so if it's running isolated like in a
browser. Trusting your data to a piece of JavaScript code sent by a remote
server, though, is only as safe as the server.

~~~
tptacek
The "safety" being discussed here isn't system integrity, but rather
cryptographic side channel safety, which is very much an open question in
Javascript.

