

Show HN: Calculate MD5, SHA-1 in your browser using HTML5 and WebWorkers - chadkeck
http://browserhash.com

======
tptacek
Why would I want this?

By this I mean, what's an end-to-end use case for it? In which a user wants a
SHA hash of a file, uses this thing to get it, and then does something with
the hash.

~~~
chadkeck
Hey Thomas, The itch I was scratching with this tool is that there isn't a
built-in way in Windows to get a digest of a file, so... what better way than
doing it in the browser?

Also, I'm the paranoid type and don't like the idea of uploading a file to
someone else's server if I want the digest.

~~~
tptacek
You aren't worried that doing this via Javascript will make it insecure for
that use? In almost the same manner as uploading your file to a server (simply
to get the hash) would be?

~~~
chadkeck
I dont' really understand what you're saying here. Other services that
calculate the digest of a file online require you to upload your file to the
service/site where you don't know what they will do with it. With Browser
Hash, not one bit of your file leaves your computer or travels over the
network.

~~~
xtacy
I think he means that the JavaScript that computes the hash can be MITM'd.

~~~
wccrawford
How would it be MITM'd? It all happens on your computer. Nothing travels over
the network after the page is downloaded.

~~~
antimatter15
I think what xtacy means by MITM is that the javascript sent by the server
might be MITM'd and altered to return a different value than the actual hash.

But for instance, if I'm trying to SHA1 a Windows 8 iso (the kind which I
imagine would be by far the most common use case - in which a
cryptographically secure hash algorithm isn't even a prerequisite any checksum
would do).

It's not any worse than downloading the sha1sum app from any http site.

~~~
tptacek
No, it's worse than downloading the "sha1sum" app, because you only have to
download "sha1sum" once. You can use a variety of out-of-band methods to
verify the file that you can't reasonably or cost-effectively do with a
website.

A website is essentially "installed" every time you visit it.

------
HardyLeung
Try <http://www.hashsum.com>

It's a Silverlight application I wrote years ago (as a warmup) and it does
MD5, SHA1, SHA256, etc. and it is much faster than any Javascript or Flash
implementation I've ever seen, including this one.

Apology for the very poor Google adsense placement and UI. Yeah it is
embarrassing. It was my first introduction to web programming, Google Adsense,
and UI, and I've moved on from it long ago. Needless to say I have learned a
lot since then.

Hashsum can handle much bigger files than 10MB. In fact, for a file that
small, you won't even notice that it did anything. Try something bigger, like
a DVD-sized ISO (4.7GB) which will take about 1 or 2 minutes. All computation
is done on the client side.

Anyone who claims Javascript is "as fast as C/C++" should at least try to beat
Hashsum, which is only C# based.

Sadly, Microsoft is putting an end to this amazing technology, but that's
another story.

------
Zash
From the blog post:

    
    
      > * Internet connection required (for now).
    

There's this thing called caching. ;)

Also, cache manifest.

~~~
chadkeck
Yeah, the cache manifest will be the next feature for Browser Hash :)

------
ericb
What is the license? I haven't looked too closely yet, but I might want to
borrow some of the JS for a firefox plugin where I'd want to calculate hashes.

~~~
chadkeck
The code is up on github. I will add the MIT license soon (do what you want
with the code).

The hash functions came from Paj here: <http://pajhome.org.uk/crypt/md5/>

IIRC, Firefox's add-on API already has an MD5 calculation method.

