开发者

JavaScript based cryptographic signing?

开发者 https://www.devze.com 2022-12-08 09:52 出处:网络
I am dealing with a particularly paranoid group of users who might want their contributions to my web site to be signed (e.g. with a GPG key) before submitting.

I am dealing with a particularly paranoid group of users who might want their contributions to my web site to be signed (e.g. with a GPG key) before submitting.

Whil开发者_如何学Ce I could show them a "snippet" to copy and paste into their GPG tool, having the browser do this would certainly be nicer. With the JS performance of recent browsers, I'm not sure this request is as silly as it sounds.

Is there an existing solution for this or can you name good reasons against such an approach in general?


Already been done


Reasons against then

  1. You would need to unlock the private key - you can't do this with JavaScript
  2. You would then need to load the private key into the browser. Which, even if you could, would present a massive risk, as the JavaScript could then send it elsewhere
  3. Encryption is computationally heavy. JavaScript is slow enough as it is.
  4. Cross site scripting and JSON injection mean that if there is a vulnerability in your web site your JavaScript could be replaced - so even if your code was behaving itself, attackers may be able to inject script that doesn't behave.

Reasons for

No, can't think of any.

0

精彩评论

暂无评论...
验证码 换一张
取 消