[liberationtech] Is cryptico.js any good?
Steve Weis
steveweis at gmail.com
Wed Oct 12 15:37:42 PDT 2011
There are good reasons not to use Javascript crypto in general:
http://www.matasano.com/articles/javascript-cryptography/
http://rdist.root.org/2010/11/29/final-post-on-javascript-crypto/
Regardless, I wouldn't trust Cryptico because its underlying implementations
are all written from scratch and I have no idea if any of them are safe.
Quickly scanning through their code, I see some questionable practices.
For example, they are seeding randomness from the time of day:
https://code.google.com/p/cryptico/source/browse/trunk/random.js#376
And the "signature" is just a hash and is on the plaintext, rather than
ciphertext:
https://code.google.com/p/cryptico/source/browse/trunk/cryptico.js#3487
On Wed, Oct 12, 2011 at 2:56 PM, Uncle Zzzen <unclezzzen at gmail.com> wrote:
>
> http://cryptico.wwwtyro.net/ is a javascript RSA library
> At the bottom of https://code.google.com/p/cryptico/ there's a tech
> summary of the algorithms and libraries it uses.
>
> Anyone here knows it? How good is it? Is there any reason NOT to use it?
> Any other considerations? (e.g. if it's not over SSL - client-side
> code can be MITMed).
>
> Thanks,
> The Dod
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111012/9e849e9b/attachment.html>
More information about the liberationtech
mailing list