tags:

views:

182

answers:

2
+3  Q: 

JavaScript based cryptographic signing?

I am dealing with a particularly paranoid group of users who might want their contributions to my web site to be signed (e.g. with a GPG key) before submitting.

While I could show them a "snippet" to copy and paste into their GPG tool, having the browser do this would certainly be nicer. With the JS performance of recent browsers, I'm not sure this request is as silly as it sounds.

Is there an existing solution for this or can you name good reasons against such an approach in general?

A: 

Reasons against then

  1. You would need to unlock the private key - you can't do this with JavaScript
  2. You would then need to load the private key into the browser. Which, even if you could, would present a massive risk, as the JavaScript could then send it elsewhere
  3. Encryption is computationally heavy. JavaScript is slow enough as it is.
  4. Cross site scripting and JSON injection mean that if there is a vulnerability in your web site your JavaScript could be replaced - so even if your code was behaving itself, attackers may be able to inject script that doesn't behave.

Reasons for

No, can't think of any.

blowdart  2009-10-11 16:23:58
[CSP](https://wiki.mozilla.org/Security/CSP/Spec) solves numbers 2 and 4. Also, number 1 is invalid.
Eli Grey  2009-10-11 19:37:48
If he wants integration with GPG then javascript isn't going to talk to GPG. Mozilla's solution is only for mozilla, and symmetric isn't for paranoid users who will want their own keys issued, and isn't secure enough for that type of thing.
blowdart  2009-10-11 20:22:04
+3  A: 

Already been done

Shay Erlichmen  2009-10-11 16:24:42
Also see JavaScrypt (http://www.fourmilab.ch/javascrypt/) for symmetric algorithms.
erickson  2009-10-11 18:58:32
That's a pretty incomplete implementation: no signatures, no padding, no key management. It will be hard to make this work with GPG.
Accipitridae  2009-10-11 19:54:53

related questions

Make Browser Window Blink in Task Bar
Large File Download
Browser's Default CSS
Disable browser 'Save Password' functionality
What's the simplest way to decremement a date in Javascript by 1 day?
Browser scrollbar
Limitations of screen readers.
Version detection with Silverlight
Best way to fix CSS/JS drop-down problem in IE7 when page includes Google Map
Recommendations for browser add-on tools to help with development
Hyperlinks displaced on IE7
Building Standalone Applications in JavaScript
HTML differences between browsers
Browser Sync accross many machines
Getting selected text in a browser, cross-platform.
How to get PNG transparency working in browsers that don't natively support it?
Best WYSIWYG CSS editor?
Javascript events
Preferred way to use favicons?
IE6: To support or not to support.
Getting the text from a drop-down box
Other browsers
Drag and Drop to a hosted Browser control
How can I tell if a web client is blocking ads?
How can I determine a web user's time zone?