Re: client side encryption from Melvin Carvalho on 2013-06-07 (public-webpayments@w3.org from June 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 7 Jun 2013 21:50:46 +0200
To: Kumar McMillan <kmcmillan@mozilla.com>
Cc: Web Payments <public-webpayments@w3.org>
Message-ID: <CAKaEYh+HGeabSogUVz6QcwLSwdbp0-_No4=UvcmZ0LMGEgW8zQ@mail.gmail.com>

On 7 June 2013 21:42, Kumar McMillan <kmcmillan@mozilla.com> wrote:

> In light of recent news about US government surveillance (some of it
> surprising, some of it not) I thought I'd point out a browser API that is
> on the standards track (and supported by Mozilla, Google, etc)
> http://www.w3.org/TR/WebCryptoAPI/
>
> Today it's possible to fully encrypt data client side in pure JavaScript
> but there are security implications and also execution will be slow since
> it's not native code. In the future, the WebCrypto API will expose native
> crypto code to JavaScript and also address security details by hiding a lot
> of logic in the chrome layer.
>
> WebCrypto applies to more than just payments but it will be especially
> nice for decentralized payment fulfillment. You could, theoretically,
> encrypt a credit card number so that only the target payment processor can
> decrypt it. You could then pass that opaque blob all over the Internet. It
> would not need to rely on a cloud service to do the encryption (which is
> typically how the web works today, aside from SSL/TLS).
>

+1

Very glad you raised this.  Please see also:

http://polycrypt.net/

*Description
*
Web apps are cool. Secure web apps are cooler. The W3C WebCrypto working
group <http://www.w3.org/2012/webcrypto/> is developing a crypto API for
the DOM <http://www.w3.org/TR/WebCryptoAPI/>. Ultimately, that should let
web apps get access to the high-grade crypto that's already in browsers.
Unfortunately, that means that web developers can't play with the API until
the browser vendors have it implemented.

In the mean time, we're trying to create a pure JavaScript implementation
of the WebCrypto API that people can use to get a feel for how they can use
the API in practice. This implementation might be useful after the API is
in browsers, as a polyfill for non-upgraded browsers. But that's a
secondary use case for us, due to the security risks of pure JS
crypto<http://www.matasano.com/articles/javascript-cryptography/>.
(That's also why we don't have HTTPS enabled for this server, as a reminder
not to use PolyCrypt when real security is required.)

Our latest release implements a recent
draft<http://dvcs.w3.org/hg/webcrypto-api/raw-file/60de9e02a40b/spec/Overview.html>of
the
Web Cryptography API from the W3C's WebCrypto working group. Check out our demo
page <http://demo.polycrypt.net> to see it in action.

>
> Kumar
>

Received on Friday, 7 June 2013 19:51:14 UTC