JavaScript Crypto Security

Cluster focuses on debates about implementing cryptography in JavaScript, including concerns over JS-based crypto libraries like crypto-js, recommendations for WebCrypto API and libsodium, and warnings against rolling your own crypto.

📉 Falling 0.5x Security

3,486

Comments

Years Active

Top Authors

#684

Topic ID

Activity Over Time

2007

2008

2009

2010

2011

109

2012

135

2013

362

2014

315

2015

250

2016

273

2017

316

2018

200

2019

254

2020

238

2021

173

2022

182

2023

187

2024

211

2025

168

2026

Top Contributors

tptacek (251) CiPHPerCoder (43) loup-vaillant (29) sarciszewski (28) jedisct1 (23)

Keywords

e.g PHP JS PQ ModeOfOperation appwithphp.com IMO pqc.js XOR OpenPGP.js crypto browser js primitives cryptography encryption attacks code javascript library

Sample Comments

cryptocatsyndro • Jul 14, 2013 • View on HN

you are right, this falls back in "normal" crypto-as-js security considerations.

cm3 • Jul 4, 2016 • View on HN

What's the state of WebCrypto APIs, and is it already possible to avoid ciphers written and deployed in JS?

lopkeny12ko • Feb 1, 2024 • View on HN

Whatever happened to "don't roll your own crypto"? Isn't this work best left to OpenSSL for example.

woranl • Aug 16, 2018 • View on HN

Why not use WebCrypto instead? No library needed.

marknadal • May 24, 2019 • View on HN

Great reference! Do you know of a WebCrypto based implementation of this? Or even libsodium? That has been my hold back.

paulpauper • Feb 18, 2023 • View on HN

What is the major difference? Isn't crypto-js still secure?

yuhong • Jan 1, 2011 • View on HN

One of the reasons JavaScript crypto is a bad idea in most cases.

nly • Sep 16, 2023 • View on HN

Libsodium you mean. Has safe cutting edge crypto, and nothing else.

TomMarius • Apr 15, 2019 • View on HN

Native cryptography, I'd say

lvh • Jan 21, 2017 • View on HN

Out of interest, if you're going to go off-standard, why not just use libsodium and get decent crypto?