Difference between revisions of "Javascript cryptography"

From Bitcoin Wiki
Jump to: navigation, search
(Create page)
 
(Add link to gmaxwell's discussion of javascript crypto)
Line 10: Line 10:
  
 
This is even before you get into the fact of how easy it is for sites to quietly substitute different JS, or the fact that HTTPS provides virtually no protection against attackers with a network position close to the server (because you can get a cert for any domain you can answer HTTP requests for...). <ref>https://www.reddit.com/r/Bitcoin/comments/6ss91w/seriously_how_are_you_all_generating_your_private/dlf4uhr/</ref>
 
This is even before you get into the fact of how easy it is for sites to quietly substitute different JS, or the fact that HTTPS provides virtually no protection against attackers with a network position close to the server (because you can get a cert for any domain you can answer HTTP requests for...). <ref>https://www.reddit.com/r/Bitcoin/comments/6ss91w/seriously_how_are_you_all_generating_your_private/dlf4uhr/</ref>
 +
 +
== SF Bitcoin Devs Seminar talk==
 +
 +
Greg Maxwell discusses javascript cryptography. (watch time: 3 min 6 sec)
 +
 +
https://www.youtube.com/watch?v=TYQ-3VvNCHE&t=3071
  
 
== See Also ==
 
== See Also ==

Revision as of 12:41, 26 October 2018

Javascript cryptography is when cryptographic software, especially bitcoin software, is written in javascript.

Javascript is not a suitable language for this. Such software is best avoided.

Explanation

Please don't use any javascript address generator for anything that matters.

The common libraries they have used have had a long and worrying series of mathematical flaws that cause them to occasionally generate addresses that do not match the private keys, and were completely without the sorts of test that would have detected these mistakes. Even if the errors are all fixed now, it's very easy for a webpage generator to be using an old version without anyone really noticing.

This is even before you get into the fact of how easy it is for sites to quietly substitute different JS, or the fact that HTTPS provides virtually no protection against attackers with a network position close to the server (because you can get a cert for any domain you can answer HTTP requests for...). [1]

SF Bitcoin Devs Seminar talk

Greg Maxwell discusses javascript cryptography. (watch time: 3 min 6 sec)

https://www.youtube.com/watch?v=TYQ-3VvNCHE&t=3071

See Also

References