3

This is about the new W3 WebcryptoAPI draft standard - http://www.w3.org/2012/webcrypto/WebCryptoAPI/

Here is a post by one of it's authors

https://plus.google.com/u/0/105761279104103278252/posts/CSwVZ1RUijo

It says its in part trying to change the "Javascript Cryptography Considered Hamrful" problem. However if you look at the "Javascript Cryptography Considered Hamrful" article - http://www.matasano.com/articles/javascript-cryptography/ - it seems as if most of the problems still remain unsolved. The only problem solved is that you won't have hand coded cryptographic functions in javascript - these will be provided by the browser. However, the remaining problems still remain.

Your thoughts?

Improve this question
2
  • More something for the guys at crypto. After a short look and seeing a complete and utter lack of key management procedures, I agree with your assessment. The only advantage I see is the access to a platform RNG, which is required to do any form of crypto anyway. Commented Sep 26, 2012 at 19:55
  • @owlstead: Is there a way to move my question to crypto Commented Sep 27, 2012 at 4:47

1 Answer 1

Reset to default
1

Javascript crypto has two main problems:

  1. There is functionality that can't be written well in pure javascript. Namely a PRNG and side channel free operations. WebCryptoAPI solves these issues. So it's certainly a significant step forward.

  2. If the server becomes malicious it can serve you evil javascript. With the current architecture it's very unlikely that you catch him. WebCryptoAPI does not solve this issue.

    This is a difficult problem for which we have no good solution yet. There are some approaches to solving this problem.
    For example in the article Verifiable Logs: Solving The “Cryptocat Problem” Ben Laurie suggests that the content the webserver severs could be logged with some notaries making it possible to catch evil servers. Unfortunately this isn't easy to deploy.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.