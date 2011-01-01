Hacker News new | comments | show | ask | jobs | submit login
SJCL – Stanford JavaScript Crypto Library (github.com)
44 points by remx 1 hour ago





Shameless plug: SJCL is a great library and easy to work with.

I've used it to build a non-profit decentralized encryption tool that can be used to send and receive files that will self-decrypt using SJCL, JavaScript FileReader, and HTML5 download attributes.

User A creates a password to encrypt a file using this client-side mechanism - which produces a self-decrypting HTML file. User B opens this HTML file in their browser which will ask them for the password to decrypt the file allowing them to download the original file all without a server. The homepage can be downloaded and self-hosted at will.

https://zipit.io/

Browser crypto is really problematic. For one, the client is downloading the crypto JS implementation (almost) every time they are using the app. Server compromised? crypto.js is rendered useless. HTTPS certificate compromised? crypto.js is useless.

And also:

XSS vuln on your website? crypto.js is useless since attacker will just exfiltrate your private key / password through XSS.

The browser is wonderful for UI but mashing together code and markup and then trying to permissively parse and execute it never goes well for security.

Do you even trust the site to actually do what it says? After all, a web application is just [someone else's] code running on your system.

Even if it's secure against XSS, HTTPS is intact, etc, you are ultimately putting presumably sensitive data into code someone else wrote and then allowing it to run on your machine with explicit network access.

The crypto implementation may be flawed, or the developer may even send your private key up or other data that you don't expect it to be sending (whether it is out of lack of understanding, accident or malice). It would be nearly impossible for you to spot if it's just sent as part of the big blob of encrypted data you expect it to be sending. The blob being bigger than you expect might be a clue, but the only way to know for sure is to audit the code, and if the code if obfuscated/minimized that could be quite the task in itself.

This is really not a problem of browser crypto at all; this is a problem of trust of the code you're executing and using.

> For one, the client is downloading the crypto JS implementation (almost) every time they are using the app

Not in the case of browsers' extensions or Electron/NW.js apps.

> XSS vuln on your website? crypto.js is useless since attacker will just exfiltrate your private key / password through XSS.

It's not like buffer overread and other vulns don't exist in the non-browser world. Also, a huge amount of XSS vulns can be avoided by having a good CSP config.

Now I'm not supporting javascript crypto. Just responding to some of your points. Inb4 some crypto SJW quotes me on that.

I think it's important to decouple Javascript the language, Javascript the runtime, and the browser security model from each other. Javascript --- the language and the runtime --- aren't ideal environments in which to do crypto, but they're not untenable. It's the browser --- not the browser shell, running as a standalone application as in Electron, but the actual Chrome browser that fetches things from URLs --- that makes crypto untenable.

More interestingly, and recent, there is Web Crypto: https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_...

Although I have no idea about the state of the thing.

There's a discussion going on of people who claim doing Crypto in the browser is super insecure. (Crockford is one of them) I wonder to what degree this is true or what needs to be done to do at least some basic crypto in the browser like AES for personal user data.

I've written about this, here: http://stackoverflow.com/a/24677597/19212, in response to the question "Can local storage ever be considered secure?", and in particular using encryption from the SJCL.

Here is the gist, copied for convenience:

> There are libraries that do implement the desired functionality, e.g. Stanford Javascript Crypto Library. There are inherent weaknesses, though (as referred to in the link from @ircmaxewell's answer):

- Lack of entropy / random number generation;

- Lack of a secure keystore i.e. the private key must be password-protected if stored locally, or stored on the server (which bars offline access);

- Lack of secure-erase;

- Lack of timing characteristics.

> Each of these weaknesses corresponds with a category of cryptographic compromise. In other words, while you may have "crypto" by name, it will be well below the rigour one aspires to in practice.

> These concerns will likely be addressed in the WebCrypto API, but that is not here yet.

This "discussion" has been going on for a long time. Here is an article posted to HN back in 2011 that you might be interested in: https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

Keep in mind that today's browsers have native crypto APIs that weren't available when this was written. (https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_...)

I wasn't aware of this, and checked caniuse, nad there's already some solid support, although the standard isn't complete.

JavaScript's random generator is not cryptographically "secure" because it's not random enough. You can however make your own random generator by using keyboard/mouse input, microphone noise, etc for entropy.

The only time you should ever use crypto in the browser is if you're building an end-to-end encrypted app in the browser.

Then encryption should be a standard API provided by the browser. We already have a level of trust in the browser for crypto implementation, we should not be relying on independent javascript code.

Is there a market for end-to-end encrypted app in the browser?

Two things come to my mind, cryptocat and the PGP plugin for Gmail.

Now, are they useful and used? I don't know...

