Archives For August 2011

After reading this thought-provoking post: http://www.matasano.com/articles/javascript-cryptography/ I thought I would enumerate some of the concerns raised and try to explain how DOMCrypt handles at least some of problems that are inherent in JavaScript cryptography.

  • DOMCrypt is not a low-level crypto API. DOMCrypt is very high-level, making it much harder to ‘do it wrong’. The only configuration is telling DOMCrypt what algorithm to use. See: https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
  • Private key material is never exposed to content JS. Each keypair is represented by an ID. This keeps the key material in a secure key store outside of content. (In the case of Firefox, the key material will be stored in NSS’ key database)
  • Each domain/origin will have its own keypair. You will have to know the ‘KeyID’ to use the domain’s keypair to encrypt data. Being able to handle secret key material in content is ‘doing it wrong’. The original DOMCrypt prototype code as well as all of the crypto libraries do this. Not good.
  • All algorithms are well designed, well tested and maintained crypto functions created by tried and true cryptographers (In the case of Firefox’s implementation we have NSS under the covers). Millions of users have depended on this underlying crypto for a decade plus. Part of the motivation for DOMCrypt is that each site might roll their own crypto implementation, or use an implementation that is out in the wild, which are likely to be subtly wrong.  By providing DOMCrypt, we can leverage all the careful scrutiny that has already gone into browser crypto implementations. We are not re-building the wheel. (Random numbers are truly random as we are calling into NSS or other system crypto depending on the browser implementation)
  • Fast. This is not a concern in the Matasano article, but I think it is a valid point. DOMCrypt calls crypto functions written in C, so all of the crypto operations are quite fast.

There are, of course, still many concerns even with a built in crypto API, but I think it is a step in the right direction. Moving all of the heavy crypto operations into the browser itself and exposing only a high-level API to consumers is the beginning. Making encryption as trustworthy as possible in a malleable content JavaScript environment will take some additional work.

 

*thanks to Adam Barth for input

Apparently, I have been summoned by the “7 things” internet meme… This is where you divulge 7 things that people may not know about you and tag 7 more people. I am wondering how I get paid for this. It is a ponzi scheme, right?

The details of my life are quite inconsequential.

1. My father was a relentlessly self-improving boulangerie owner from Belgium with low grade narcolepsy and a penchant for buggery. My father would womanize, he would drink, he would make outrageous claims like he invented the question mark. Some times he would accuse chestnuts of being lazy, the sort of general malaise that only the genius possess and the insane lament.

2. My mother was a fifteen year old French prostitute named Chloe with webbed feet.

3. My childhood was typical, summers in Rangoon, luge lessons. In the spring we’d make meat helmets. When I was insolent I was placed in a burlap bag and beaten with reeds, pretty standard really.

4. At the age of 12 I received my first scribe. At the age of fourteen, a Zoroastrian named Vilma ritualistically shaved my testicles. There really is nothing like a shorn scrotum, it’s breathtaking, I suggest you try it.

Uh, just kidding… Of Course, the previous points are a joke.

Here we go:

When I was five, my family moved to Germany so my dad could help with the post World War II occupation, you know. This was in 1977. (Wow, I am  old.) We lived in Augsburg for 3 years. I was quite aware of the Cold War at the age of 5.

I enrolled in my Junior year of college and never paid the tuition and never showed up to class, instead, I played guitar in a band that was nearly signed to a major record label. of course, these things just never turn out the way you want them to. My band played some pretty big shows opening for Blur once, and other indie bands such as Medicine, The Leaving Trains and Catherine. We recorded at the same studio as Smashing Pumpkins and occasionally hung out with some of them. Ahhh, hanging with Rock Stars at 20 years old… those Were the Days.

I saw the Orb in 1993 and renounced rock music for techno, starting a fledgling techno music group in Chicago. I DJ’d at some pretty huge Raves back in the day. Some of my music is on SoundCloud.

Back in 1995, Netscape went public, I finally set up a PPP account at Suba.net in Chicago. My boss at the time told me the “internet is a fad, the future is in the CD-ROM”. I quit my job and went to work at Northwestern University where they have had an internet connection since 1981. I taught myself HTML. I was into the web.

My wife and I eloped to Italy for a wedding in Florence. We spent a month in Italy, Croatia and Germany and probably spent as much money as the average bride spends on a dress. I HIGHLY recommend it.

I worked at Industrial Light and Magic for 18 months and that is all I can tell you about it, except that it felt more like working at IBM than a tech company on Tatooine (it WAS also a lot of fun).

My wife and I have 2 children, Cecilia – 5 and Henry – 1. Last year we moved back to the Chicago area, bought a place in the woods and are adjusting well to country living.

That about sums it up. I am supposed to tag 7 people now: @shorlander, @dao (is he on twitter?), @limi, @faaborg, @pastith, @ratcliffe_mike and @neonux