You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1.6 KiB


auth-name : Harry Halpin tag : javascript, cryptography, W3C, security advance costs : N
need room : N Location : Boston, USA (but right now Paris!)
Can host ppl : na

Javascript Web Cryptography: The Good, the Bad, and the Cryptopocalypse

After the Snowden revelations and innumerable SSL bugs, web developers everywhere are now wanting to encrypt all the apps - and maybe TLS is not enough! However, for years Javascript crypto has been wrought with a multitude of libraries and some sketchy behavior in the runtime environment. In addition to secure origins, the W3C has been working quietly for last three years with all major browser vendors to roll out the W3C Web Cryptography API, already in Mozilla, Chrome, and Internet Explorer. The W3C WebCrytpo API that exposes as a normalized, standard, constant-time functions the basic primitives of cryptography needed: PRNG, encryption, decryption, key derivation, key wrapping, and more. We'll give a quick overview of the API, related work like Javascript Web Keys, and demo of some working code. Also, we're not done yet: There's still open issues ranging from battles over algorithm extensibility and the Cryptopocalypse - issues that must be solved for the WebCrypto API to be a full Recommendation.

Javascript Web Cryptography is only the first small step in a secure Web. Next up is getting the secure key storage and third-party Javascript code verification the Web needs. Lastly, we'll outline how anyone can get involved to help build open standards to build what Tim Berners-Lee calls the "Web We Want" - and stop the Web from being subverted.