tptacek

This demonstrates a big complaint with the WebCrypto API: it exposes a bunch of stuff you never want to be dealing with --- either directly or, in some cases, at all:

* Never use RSA PKCS1v15

* Avoid padding arbitrary data to RSA-OAEP encryption (you only ever want to encrypt keys)

* The "nonce" bits of the AES-CTR must be random, but the API doesn't even make it obvious which bits those are. Screw that up and you get no security.

* Avoid AES-CBC.

* You can't securely use AES-CBC or AES-CTR without a MAC.

* Never, ever use AES-CFB.

* Avoid multiplicative group DH (what WebCrypto calls "DH").

Out of all those examples, the only interfaces that approach "safe" are AES-GCM and AES-CMAC, and even the AES-GCM case makes it awfully easy to repeat the nonce, which is a devastating vulnerability.

As I understand it, whatever HN might want to believe this API is for, its real purpose is to make it possible to implement DRM without plugins. It's a compat interface, and it shows.

sarciszewski
I noticed the inclusion of NIST curves and no modern ECC and decided I'd withhold judgment until someone else had a chance to look at it.

This is pretty terrible.

If anyone was looking forward to using this for creating browser extensions (do NOT deliver code from a webserver and assume it's safe!), you're better off using https://github.com/jedisct1/libsodium.js instead.