The Web Crypto API is a JavaScript standard for cryptographic primitives, allowing web applications to do cryptogarphy in the browser.
Questions tagged [web-crypto-api]
11 questions
21
votes
3 answers
What’s wrong with in-browser cryptography in 2017?
There are many articles in the internet criticising JavaScript cryptography in the browser:
"What’s wrong with in-browser cryptography?" by Tony Arcieri
"Final post on Javascript crypto" on rdist
"Javascript Cryptography Considered Harmful" on NCC …
user1204395
- 213
- 2
- 8
3
votes
0 answers
How can Web Crypto API and IndexedDB protect data stored on the client side against user manipulation?
Imagine web apps that are supposed to work with no or only a few interactions with the web server, for example:
a browser game in which the player's level and progress are to be saved locally.
a game, progressive web app or browser extension with…
Steve06
- 131
- 4
2
votes
1 answer
SubtleCrypto with non-extractable keys stored in IndexedDB - Cross Origin Usage
In a browser I want to use SublteCrypto (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto) to create a key pair and store it locally in the IndexedDB (https://developer.mozilla.org/en-US/docs/Web/API/IndexedDB_API).
Storing the key pair…
dominik
- 21
- 2
2
votes
1 answer
Are CryptoKey Objects stored in IndexedDB stored in Plain Text on the users machine?
I'm considering storing a sysmetric encryption key in the form of a CyptoKey Object with extractable set to false in IndexedDB and I was wandering whether this is safe or not.
The questions that I didn't find the answers to are:
How are the keys…
Mekacher Anis
- 123
- 4
2
votes
1 answer
Is possible to implement a Web Cryptography API custom provider?
I'm reading some basic info about Web Cryptography API and I'm wondering if is possible to implement some crypto provider (C/C++ library or something) with some extra algorithms or is mandatory to use the ones "embedded" with the web browser. I have…
RobertGG
- 47
- 4
1
vote
1 answer
Is the Web Crypto API secure when the server is trusted?
I've heard a lot of people say that the Web Crypto API is not very safe. For example: https://tonyarcieri.com/whats-wrong-with-webcrypto, Problems with in Browser Crypto. However, I'm looking to use the Web Crypto API for a completely different…
asdf3.14159
- 63
- 6
1
vote
1 answer
Web Crypto API maturity for JavaScript RSA encryption?
We have been using a JavaScript crypto API to do RSA encryption in the browser. I know all the criticisms on encryption in JavaScript but we have evaluated pros and cons of the solution and the risks are acceptable for us.
In the past we used…
robob
- 243
- 2
- 8
1
vote
1 answer
Does the Web Cryptography API prevent a bad server from slurping cleartext?
Consider a cryptographic web application that relies on hosted JavaScript. This JavaScript could be manipulated server-side by a bad actor, defeating any cryptographic tasks. Namely:
private keys could be sent back to the server
cleartext could be…
lofidevops
- 3,550
- 6
- 23
- 32
0
votes
1 answer
X.509 certificate's signature algorithm vs. algorithm used in key derived from it to verify a signature
I have the following from Google's public certs for verifying JWT ID
-----BEGIN…
David Min
- 162
- 6
0
votes
0 answers
ESP32: Secure WiFi credentials via WebCrypto?
Background information:
I am not a computer scientist. However, in a research project I am currently building a ESP32-based sensor. Multiple sensors of this type are going to be used by multiple users.
Every time a user wants to utilize a sensor,…
reg.cs
- 101
-1
votes
1 answer
Find Confirmation Code (FindBug.io)
I have solve half of the problem by decoding a base64 code that reveal the next URL(https://app.findbug.io/app/task/FinDBuG-CTF2019) but now i don't know what to find or where i tried it with burpsuite.
Here is the link for confirmation…
snowr
- 3
- 1