back to article Microsoft eggheads publish JavaScript crypto code for devs

Microsoft Research has published an under-development JavaScript crypto library, for exposure to developers and researchers interested in cloud and browser security. Designed to work with HTML5-compliant cloud services, the Microsoft Research JavaScript Cryptography Library uses the W3C WebCrypto API to expose crypto functions …

COMMENTS

This topic is closed for new posts.

HTML5-compliant cloud services?

0
0
Silver badge

NSA-compliant cloud services more like.

Lovely idea though.

5
4
Meh

<mode="Regtard">

Well that'll be proprietary, patent encumbered and only work with WinDOZE H8TE - fuck you M$!

</mode>

There. I said it for you, you can all go home now.

14
8
Silver badge
Headmaster

The well-known psychological trick of PREEMPTEADONIZATION to prematurely shut down discussion won't work here, running redmondian dog lackey!

6
1

I think it's the juxtaposition with the capitals above it, but I keep parsing that as "redmondian turkey dog lackey", which is kind of cool, in a Monty Python Taunting way.

But I would have upvoted anyway (and did).

2
0
Linux

"There. I said it for you, you can all go home now."

Here, have an Up Vote for the effort you Windoze fanboi...

0
0
Silver badge
Black Helicopters

"and MS notes that this library will probably be replaced in future versions."

Obvious problem there - even if they don't quietly slip the NSA back-doored version in later, who is going to believe them that they won't? (Or won't have their arms twisted to do so.)

5
7
FAIL

It's Javascript, you moron.

Try reading it.

6
5
Silver badge
Meh

charming.

No need to be a dick about it, but you're point is fair. I've just downloaded it and it's all nicely formatted and readable javascript so many eyes can have a good look for NSA backdoors.

2
0

Re: charming.

And once it's finished it can be signed with the check sum in a public location so it's easy to verify.

2
0
FAIL

Re: charming.

And when you go to the NSA-backdoored web page that uses it, it will download some slightly different javascript from somewhere else, and verify it against a different check sum in a different location. And you won't know the difference.

4
6
Stop

Re: charming.

Which you can look at because you're downloading it and verify for yourself.

The back-end systems are a different matter, of course, but this bit literally cannot be other than legit without everyone knowing about it inside about a day.

--off topic

You know, I don't really like MS very much. Not much at all, in fact. The only thing they do for me is (indirectly) keep me in work. If they went bust I'd still have work, albeit using different tools but for now they keep me in work. No, I do not work for them. I really am not all that keen on any giant multinational money machine, to be honest. None of them are my friend and none of them want to be.

I am aware that here on the Register, it can seem that I am pro-Microsoft. I am not. It only looks that way because the commentards here are so anti-Microsoft that they are, in large numbers, utterly irrational on the subject. It's an odd situation. To autoGodwinize, it's a bit like accusing Oskar Schindler of being an Elder of Zion instead of just anti-murder.

12
2

Is anyone else amused by the idea of cryptographic algorithms implemented in a language without a true integer type?

http://www.jwz.org/blog/2010/10/every-day-i-learn-something-new-and-stupid/

I think it's kind of adorable.

1
3

I think that green writing on a black blog background is kind of cute and adorable, but that doesn't make it right.

The way that integers/numbers work in JS is down to the IEEE spec for floating point numbers - don't blame the language for THAT.

4
3
Boffin

I think that Jamie Zawinski can get away with doing his blog in b1ff if he so chooses, and he will still have more credibility than the average Reg commentard when it comes to complaining about ECMA stupidity.

1
2
Silver badge

Could be worse. Have you ever tried working in a language that uses integers as bools because it doesn't have real bools?

That's one of many insane problems with it (it also lacks real arrays for instance). Rumor amongst the community is that the guy who created the language did so in one all-nighter while drunk. It's not a hard rumor to believe. I suspect it would die a very quick death were there any other alternative in the environment where it's used.

0
3

In fairness, some of the best code I've ever written I did while drunk.

1
0
Silver badge
Happy

If you don't like javascript

then don't write in it. Those of us who do use it can actually get quite attached to it's almost psychopathic casting and crazy function scope. Going back to a strongly typed language with real arrays is a step backwards in a lot of ways. You mean I can't just push and pop things off that array? I have to check that string for being nothing and for being empty? Tedious. Or just different, ymmv.

1
1
Silver badge

To clarify I was talking about LSL, not JavaScript.

0
0
Devil

So...

"MS notes that most of [...] is supported, with the exception of “promises”. "

MS promises not supported... So standard MS SOP then....

Apologies, couldn't resist.

2
0
Silver badge

Crypto with JavaScript?

Isn't that like a Ford Pinto on a race track?

1
2
Silver badge

Re: Crypto with JavaScript?

You mean like this one?

https://www.youtube.com/watch?v=saX25ZLJkTM

1
0

Client side crypto - what could go wrong!?

Okay. So I as I understand it WebCrypto provides an API to "crypto primitives" via the browser. Playing the role of Mallory, what's to stop me from then bypassing this Javascript tier entirely and returning whatever I feel like to the caller?

Point being - the crypto itself can be harder than a coffin nail but that counts for nothing if the environment the code is running in can't be trusted? Or is the idea that I'd be running this through Node.Js or something?

1
1
Silver badge

Re: Client side crypto - what could go wrong!?

Playing the role of Mallory, what's to stop me from then bypassing this Javascript tier entirely and returning whatever I feel like to the caller?

That's not a description of an attack scenario; it's a vague handwave in the direction of one. You might as well ask "what's to stop me from preventing the user from encrypting sensitive data?". We don't know, because you haven't described the application.

The point of the WebCrypto API is to provide a standard way for a user agent ("browser") to encrypt, and apply other cryptographic primitives (digest, signature, pad, HMAC, etc) to select pieces of data. Then it might send the results of such an operation to a server, or it might not; and it might apply those operations to data received from a server.

Is there scope for an attacker to interfere? Of course there is, as with any security system. But positing a magical attacker who can simply "bypass[] this Javascript tier" isn't a useful critique.

5
0

Re: Client side crypto - what could go wrong!?

Michael,

It seems I'm not making myself clear as you have over generalized what I'm saying. I'm not providing a critique - I'm asking for genuine opinions on why I would want to do my cryptography in an untrusted environment.

The last reading I did on the subject was this document which makes some very valid points and explains the issue better than I did above:

http://matasano.com/articles/javascript-cryptography/

So - I'm asking out of genuine interest - does WebCrypto advance us further from where we were when this document was written?

0
0
This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2018