W3C home > Mailing lists > Public > public-webcrypto@w3.org > April 2014

[Bug 25345] Set window.crypto and all properties of window.crypto writable to false

From: <bugzilla@jessica.w3.org>
Date: Tue, 15 Apr 2014 17:59:17 +0000
To: public-webcrypto@w3.org
Message-ID: <bug-25345-7213-IjGVt82FES@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345

--- Comment #3 from Franz Antesberger <info@franz-antesberger.de> ---
Hi Boris,

I want to protect against malice.
For example https://github.com/openpgpjs/openpgpjs
uses crypto.getRandomValues() for key generation (RSA and AES) and encryption.
If an attacker can manipulate window.crypto.getRandomValues() via e.g.
cross-site code injection ,
all generated keys and encrypted documents are broken, even if
openpgpjs puts all own code in a closure, which cannot be manipulated.
I tested all current browsers. Only IE11 prevents window.crypto (here:
window.msCrypto) from being overwritten,
but even in IE11 all properties (including getRandomValues()) can be
overwritten.

Ps: You cannot protect against incompetence.
"Only two things are infinite, the universe and human stupidity, and I'm not
sure about the former."
Albert Einstein

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Received on Tuesday, 15 April 2014 17:59:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:17:22 UTC