Explore the controversial world of JavaScript cryptography in this thought-provoking conference talk from BruCON 0x06. Delve into the history of JS crypto, examine its perceived flaws, and challenge the notion that it's inherently insecure. Discover real-world examples of high-profile crypto libraries, applications, and systems tested for vulnerabilities. Compare JavaScript cryptography to established implementations like OpenSSL, BouncyCastle, and GnuPG. Analyze various security aspects, including XSS, man-in-the-middle attacks, PRNGs, and timing side-channels. Gain insights into language-specific issues, browser quirks, and platform-related challenges. Leave with a comprehensive, updated, and opinionated view on the state of JavaScript cryptography, equipped to question long-held beliefs and make informed decisions about its use in modern web applications.
Overview
Syllabus
Intro
About me
JS crypto history
Doomed to fail?
Action plan
Language issues matter
Javascript in a glance
Bit quirks
Magic properties
Silent errors
16 snowmen attack!
AES - SubBytes
Encrypting...
Implicit type coercion
Decrypting...
Web platform
XSS
Poor randomness
Timing side-channels
Compiler optimisation
Direct memory access
Browser extension
Taught by
BruCON Security Conference
