JavaScript based cryptographic signing?
https://stackoverflow.com/questions/1551070
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am dealing with a particularly paranoid group of users who might want their contributions to my web site to be signed (e.g. with a GPG key) before submitting.
While I could show them a "snippet" to copy and paste into their GPG tool, having the browser do this would certainly be nicer. With the JS performance of recent browsers, I'm not sure this request is as silly as it sounds.
Is there an existing solution for this or can you name good reasons against such an approach in general?
Solution
OTHER TIPS
Reasons against then
- You would need to unlock the private key - you can't do this with JavaScript
- You would then need to load the private key into the browser. Which, even if you could, would present a massive risk, as the JavaScript could then send it elsewhere
- Encryption is computationally heavy. JavaScript is slow enough as it is.
- Cross site scripting and JSON injection mean that if there is a vulnerability in your web site your JavaScript could be replaced - so even if your code was behaving itself, attackers may be able to inject script that doesn't behave.
Reasons for
No, can't think of any.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
