The normal complaint about crypto in JS is that, as a user, I cannot tell what JS is going to be delivered to me this time. Perhaps a security letter forced an update to broken crypto.
> THEN I'LL JUST SERVE A CRYPTOGRAPHIC DIGEST OF MY CODE
1) Javascript is open source and you can audit the code you are running.
2) You can save the HTML of a page and run your local copy so that you know the JS can't change or check the hash every time
Can you audit the code of your OS or Browser? In theory, if you are on Linux, but in practice it is too complex and voluminous for one person to do.
A browser based app is usually in the thousands of lines of open source code running in a sandbox that is very easy to debug.
The browser environment is the most secure and most easily user auditable environment there is.
Unless you expect all of your users to build your app from source on linux that they built from source you can't really get better security.
"Javascript Cryptography Considered Harmful" is old FUD. It was barely coherent when first published and the only legitimate arguments it had have been fixed.
Please stop propagating this article. Its positions are out of date.
FTA: WHAT'S HARD ABOUT DEPLOYING JAVASCRIPT OVER SSL/TLS?
You can't simply send a single Javascript file over SSL/TLS. You have to send all the page contentover SSL/TLS. Otherwise, attackers will hijack the crypto code using the least-secure connection that builds the page.
----
Seriously? Serving entire websites over https is the norm these days. It appears as though the article has been added to but not updated. Current advocates should re-read the article.
Yes, I didn't really want to go through each point in the article. But here's a few things to consider as you read it:
- The article reads like those arguments we have in our heads where we always win.
- The article is from 2011
- The article says "come back in 10 years when people aren't running browsers from 2008"
(we're not to 2021 yet but the majority of browsers are evergreen now)
- We have SubtleCrypto now
- We have SubResourceIntegrity
- We have CORS and CSP
The article has some valid points, but I posit that it is more harmful than helpful. We need an Mozilla-style "arewesecureyet" website instead.
The article hammers home that you should not trust client-side javascript crypto. And you shouldn't. Because you can't. Because 30 points in that article. If we spent all day on this forum, we could go back and forth over every single one, re-establishing the above held truth.
It's like a Cloud OS. If my whole OS is running in the cloud, you can claim it's secure, "because crypto". But it's still actually running on a random pizza box in one of Google's datacenters. There's like 10 layers of trust and assurance needed between them and me.
If my OS is running on my laptop, I only need to trust ME, and maybe Intel's dodgy engineers, and whoever wrote the rest of what's running on my laptop. The control over the security of the system stays in my hands.
That is the basic trust problem, and on top of that are all the other technical problems that make client-side javascript crypto untrustworthy. Even if you solved all the other technical problems, I still don't trust what you are delivering to me more than I trust code that lives on my machine, designed by cryptographers to the highest standards of consumer security.