Anyone implementing a crypto library in JavaScript is building a castle in a swamp anyway. There's no way you can sign code and it's too easy to fiddle with functions and the DOM in the browser.
When SecureRandom()... isn't: JavaScript fingered for poking cash-spilling holes in Bitcoin wallets
Concerns about a flawed crypto library that could allow Bitcoin theft have been revived following a post to a Bitcoin mailing list last week. David Gerard, a UK-based Unix admin and blockchain technology watcher, raised concerns in a blog post on Thursday. "The popular JavaScript SecureRandom() library … isn’t securely random …
COMMENTS
-
-
Sunday 15th April 2018 20:52 GMT Anonymous Coward
Re: Audit it all
There's a little German poem that summarises some aspects of modern software development.
Der Lattenzaun (The Slat Fence)
Es war einmal ein Lattenzaun,
mit Zwischenraum, hindurchzuschaun.
Ein Architekt, der dieses sah,
stand eines Abends plötzlich da -
und nahm den Zwischenraum heraus
und baute draus ein großes Haus.
Der Zaun indessen stand ganz dumm,
mit Latten ohne was herum,
Ein Anblick gräßlich und gemein.
Drum zog ihn der Senat auch ein.
Der Architekt jedoch entfloh
nach Afri- od- Ameriko.
(Christian Morgenstern)
The key part is about a fence made of posts with spaces in between. An architect who saw this came by suddenly one evening and took the spaces in between, and built a big house from them.
An awful lot of the Internet is made up from the spaces in between the uprights, which means good luck with auditing all the code.
At the end of the poem after the unfortunate consequences, the architect flies away to American (or Africa) leaving others to sort out the mess.
-