Hacker News new | past | comments | ask | show | jobs | submit login

On a related note: I was recently reviewing the web crypto API and I was surprised to see that only RSA works for encrypting/decrypting data. They do offer support for ECDSA to sign and verify messages, but not encrypt data using public keys with elliptic curves. Is there a reason for this?

For example: encryption: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypt...

Note that ECDSA is missing.

But, for signing: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypt...

Here, ECDSA is an option.

Why the difference?

It means you cannot use your web browser crypto to interact with the majority of blockchains (like Ethereum).

Is there a good reason why support inside your browser for signing is available with ECDSA but not encryption?

Is this a patent or IP issue, or perhaps a political issue.

I always thought one reason for not using RSA was that you never know if there are backdoors the US government has installed, but this article makes it sound technically poor as well.

You don't normally encrypt with ECC. You use it to establish a symmetric key, and encrypt with that. Look for WebCrypto examples for ECDH.

In fact, the ability to encrypt directly with RSA is probably a bug, not a feature. There are too many ways to do it catastrophically wrong, and it almost guarantees cryptosystems without forward secrecy.

(WebCrypto isn't great and I'd avoid it, but this isn't why).

Thanks, this is very clarifying.

Do you have a link to a discussion on why WebCrypto isn't great? More specifically, are you saying there is no real good way to do encryption with WebCrypto, or is it that it is too easy to do it wrong?

It doesn't address the core problem with browser encryption, which is that trust is inevitably rooted in the servers that deliver your content; WebCrypto bakes more of the "guts" of crypto primitives into the browser, where they don't have to be remotely programmed through Javascript, but the "joinery" is still content-controlled Javascript and is more than flexible enough to allow a malicious server to (very) surreptitiously exfiltrate secrets.

It can make some sense in extensions, or in situations where client-side cryptography is more an interoperability or offloading concern than an end-to-end security concern. But ultimately, it's misused more than it's used well.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact