
Ask HN: Secure Webassembly crypto? - badrabbit
Hi HN,<p>I was looking into the possibility of using something like the noise framework for secure channel encryption between a webassembly in-browser client and other peers.<p>Of course getting the code to compile and work properly in wasm is a challenge but the larger concern I have is cryptographic security:<p>1) If erasing memory referenced by a pointer in a native compiled program more or less guarantees removal of that data from memory without accounting for &quot;cold boot&quot; forensic recovery, will that same procedure translate just as well for a webassembly compiled program? I am concerned about in-memory persistence of secret values after user logout or tab closure.<p>2) How significant of a concern is a side channel attack? Specifically by code running in a different tab.<p>Apologies in advance if this type or format of a question isn&#x27;t proper for HN. I have seen several good posts about crypto and webassembly on HN which is why I am trying to take advantage of your opinions. Also, since webassembly is getting more and more popular maybe this could help me and other folks from making incorrect assumptions when attempting to writr secure code.
======
757362
Here is some information that mey be of use on the secure channel encryption?

End-to-end encryption [https://en.wikipedia.org/wiki/End-to-
end_encryption](https://en.wikipedia.org/wiki/End-to-end_encryption)

End-To-End is a crypto library to encrypt, decrypt, digital sign, and verify
signed messages (implementing OpenPGP and OTR) [https://github.com/google/end-
to-end](https://github.com/google/end-to-end)

(Auth) So you want to build a decentralized Twitter with end-to-end
encryption, that works right in the browser? All with MIT licensed Open Source
code?
[https://github.com/amark/gun/wiki/auth](https://github.com/amark/gun/wiki/auth)

P2P Authenticated Encryption
[https://github.com/tendermint/tendermint/wiki/P2P-Authentica...](https://github.com/tendermint/tendermint/wiki/P2P-Authenticated-
Encryption)

GNUnet is an alternative network stack for building secure, decentralized and
privacy-preserving distributed applications.
[https://gnunet.org](https://gnunet.org)

A decentralized, peer-to-peer, encrypted chat in PHP.
[https://github.com/TheFox/phpchat](https://github.com/TheFox/phpchat)

Top 5 Most Rated Node.js Frameworks for End-to-End Web Testing
[https://medium.com/@adrian_lewis/top-5-most-rated-node-js-
fr...](https://medium.com/@adrian_lewis/top-5-most-rated-node-js-frameworks-
for-end-to-end-web-testing-f8ebca4e5d44)

------
757362
The Side Channel Attack?

JavaScript Zero: real JavaScript, and zero side-channel attacks
[https://blog.acolyer.org/2018/03/13/javascript-zero-real-
jav...](https://blog.acolyer.org/2018/03/13/javascript-zero-real-javascript-
and-zero-side-channel-attacks/)

Side-Channel Attacks on Everyday Applications
[https://github.com/defuse/flush-reload-
attacks](https://github.com/defuse/flush-reload-attacks)

The DrK (De-randomizing Kernel ASLR) attack [https://github.com/sslab-
gatech/DrK](https://github.com/sslab-gatech/DrK)

Cache Template Attacks
[https://github.com/IAIK/cache_template_attacks](https://github.com/IAIK/cache_template_attacks)

Using Node.js Event Loop for Timing Attacks [https://snyk.io/blog/node-js-
timing-attack-ccc-ctf/](https://snyk.io/blog/node-js-timing-attack-ccc-ctf/)

Cross Frame Scripting
[https://www.owasp.org/index.php/Cross_Frame_Scripting](https://www.owasp.org/index.php/Cross_Frame_Scripting)

Cross Frame Scripting (XFS) Cheat Sheet, Attack Examples & Protection
[https://www.checkmarx.com/knowledge/knowledgebase/XFS](https://www.checkmarx.com/knowledge/knowledgebase/XFS)

Testing for CSS Injection (OTG-CLIENT-005)
[https://www.owasp.org/index.php/Testing_for_CSS_Injection_(O...](https://www.owasp.org/index.php/Testing_for_CSS_Injection_\(OTG-
CLIENT-005\))

Stealing CSRF tokens with CSS injection (without iFrames)
[https://github.com/dxa4481/cssInjection](https://github.com/dxa4481/cssInjection)

Stealing Data With CSS: Attack and Defense [https://www.mike-
gualtieri.com/posts/stealing-data-with-css-...](https://www.mike-
gualtieri.com/posts/stealing-data-with-css-attack-and-defense)

Reading Data via CSS Injection [https://curesec.com/blog/article/blog/Reading-
Data-via-CSS-I...](https://curesec.com/blog/article/blog/Reading-Data-via-CSS-
Injection-180.html)

