1.6 KiB
#infos
auth-name : Harry Halpin
tag : javascript, cryptography, W3C, security
advance costs : N
need room : N
Location : Boston, USA (but right now Paris!)
Can host ppl : na
Javascript Web Cryptography: The Good, the Bad, and the Cryptopocalypse
After the Snowden revelations and innumerable SSL bugs, web developers everywhere are now wanting to encrypt all the apps - and maybe TLS is not enough! However, for years Javascript crypto has been wrought with a multitude of libraries and some sketchy behavior in the runtime environment. In addition to secure origins, the W3C has been working quietly for last three years with all major browser vendors to roll out the W3C Web Cryptography API, already in Mozilla, Chrome, and Internet Explorer. The W3C WebCrytpo API that exposes as a normalized, standard, constant-time functions the basic primitives of cryptography needed: PRNG, encryption, decryption, key derivation, key wrapping, and more. We'll give a quick overview of the API, related work like Javascript Web Keys, and demo of some working code. Also, we're not done yet: There's still open issues ranging from battles over algorithm extensibility and the Cryptopocalypse - issues that must be solved for the WebCrypto API to be a full Recommendation.
Javascript Web Cryptography is only the first small step in a secure Web. Next up is getting the secure key storage and third-party Javascript code verification the Web needs. Lastly, we'll outline how anyone can get involved to help build open standards to build what Tim Berners-Lee calls the "Web We Want" - and stop the Web from being subverted.