JavaScript-based cryptographic signing?

Question

JavaScript-based cryptographic signing?

I am dealing with a particularly paranoid group of users who may wish to have their contribution to my website signed (using the GPG key, for example) before submitting.

While I could show them a “snippet” to copy and paste into my GPG tool, using a browser would certainly be better. Thanks to the JS performance of recent browsers, I'm not sure if this request is as dumb as it seems.

Is there an existing solution for this, or can you name a good reason against this approach as a whole?

+4

javascript browser cryptography signing

pudo Oct 11 '09 at 16:19

source share

2 answers

Reasons against

You will need to unlock the private key - you cannot do this using JavaScript
Then you will need to load the private key into the browser. Which, even if you could, would be a huge risk since JavaScript could then send it to another location
Encryption is computationally heavy. JavaScript is pretty slow as it is.
Cross-site scripting and JSON injection mean that if your website has a vulnerability, your JavaScript can be replaced - so even if your code behaves, attackers can embed a script that does not behave.

Causes

No, I can’t think of it.

-one

blowdart Oct 11 '09 at 16:23

source share

Shay erlichmen · Accepted Answer · 2009-10-11T16:24:42+0000

Already done

JavaScript-based cryptographic signing?

More articles: