

Javascript and crypto. Am I on a fool's errand? - iuguy

Hi,<p>I&#x27;m working on a little project that uses the openpgpjs library[1]. After seeing the epic shitstorm here[2] it&#x27;s got me worried about whether or not I&#x27;m doing the right thing and whether or not I should release it at all.<p>I&#x27;m a security person, a pentester but not a pro cryptographer. My project involves using symmetric and asymmetric OpenPGP encryption in the browser, not on the server - hence Javascript. Java libraries like bouncycastle seem to be available but to me I don&#x27;t see much of a difference between Java and Javascript implementations (without formally reviewing both, neither of which I&#x27;m qualified to do from a crypto perspective) beyond the fact that no-one wants to use Java unless they have to.<p>So my question is, should I carry on with my project but open it up to cryptographers I know to evaluate before public release or am I on a fools&#x27; errand using Javascript? If so, why?
======
tptacek
Good on you for using OpenPGP instead of inventing something else. OpenPGP is
a bear to work with, but is a major step towards ensuring that you don't
jeopardize your users with bad crypto design decisions.

Unfortunately, I don't have anything good to say about browser Javascript in
any setting on any browser. There's a pretty large laundry list of problems
with it.

Whose problems are you trying to solve with this project? That'd help
formulate a better answer.

------
kogir
It really depends on what you're trying to do.

Amongst other things, since you can't ever know the Javascript runtime in the
browser hasn't been tampered with, and that the functions you're calling from
even correct crypto code haven't been overridden, the system will never
actually be safe to trust.

------
cylo
All the reasons why this is a terrible idea are outlined here:
[http://www.matasano.com/articles/javascript-
cryptography/](http://www.matasano.com/articles/javascript-cryptography/)

------
benologist
Why would JavaScript be less useful than any other language? At a minimum it
at least opens up modern platforms.

It's probably a great idea to let the experts you know audit it.

