
JavaScript Cryptography Considered Harmful - brhsiao
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2011/august/javascript-cryptography-considered-harmful/
======
tomw1808
I see your claims against all of that, some more obvious than others, some are
a bit outdated. I'm not going to discuss the up and downsides. All I am saying
is I don't see any proof. No links, no references, no proof-of-concept JS
manipulation. Nothing. Only accusations and assumptions.

When one makes quite huge accusations, as these are obviously, going strong
against best practices laid out by researches, both from Google and Amazon
(and probably a lot more), it would be better to not only hate-talk, but also
- quite simply - proof. Show, for example, how you can intercept JS sent from
the server via https. Or show how somebody did that. Or how you are going to
XSS in any major JS Framework out there. Or at least link some examples when
you make assumptions that all JS crypto won't work because of things like

> "cross-site scripting". Virtually every popular web > application ever
> deployed has fallen victim to this problem

XSS Sanitation was for long time a problem and, of course, it still is, when
used the wrong way. There were plenty of hacks and attacks using cross site
scripting, no doubt.

or

> WHAT SYSTEMS PROGRAMMING FUNCTIONALITY DOES JAVASCRIPT LACK? > Here's a
> starting point: a secure random number generator.

[https://www.w3.org/TR/WebCryptoAPI/#dfnReturnLink-0](https://www.w3.org/TR/WebCryptoAPI/#dfnReturnLink-0)

... and so on ...

