[tomp]

I don't think that JS or any other interpreted/JIT-compiled crypto code will ever be vetted by cryptographers. Simply the fact that you can't control the memory, CPU cache and instruction scheduling means that your code is vulnerable to at least side-channel exploits.

[bradleyjg]

The Stanford Javascript Crypto Library was written / overseen by Dan Boneh who is a serious cryptographer by any definition.

http://bitwiseshiftleft.github.io/sjcl/

[tomp]

> We believe that SJCL provides the best security which is practically available in Javascript. (Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.)

[bradleyjg]

And? It's vetted by a cryptographer who noted the caveats that apply. Do you take 'vetted' to mean 'unreservedly recommend'?

[wglb]

I would, yes.

His disclaimer mentions three game-over problems.