Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

>Can you do serious crypto in C? Only if you know what you're doing and don't screw up. Same goes for javascript.

Overall I am sympathetic to your cause, but this raises alarms. JavaScript crypto is nonsense, you could have the implementation silently replaced with a naughty one at the hosts leisure.

EDIT: To respond to all of you at once - everything I've seen so far says that he was aiming for JS in the browser. Did I miss something?



That has nothing to do with javascript-the-language, but rather the way the web works. Obviously even with https, javascript delivered by a web server has a vulnerability whereby the web server may be compromised, which is outside of the users control. Any javscript delivered by a web server should be executed with that understanding. i.e., delivering a wallet from a web server is probably not the right thing to do. Note that javascript can also be run in the form of a browser extension, server-side node, node-webkit, apache cordova, etc. Javascript-the-language is not intrinsically vulnerable to a compromised webserver.


It's fair to say that JavaScript-the-language is not intrinsically vulnerable to this, but how else are you planning on delivering the JavaScript to clients? I may be misinterpreting your goals.


Not in the form of a webapp. It would have been a browser extension and/or mobile.


Thanks for clarifying.


This seems pretty much correct.


A usable browser implementation of a wallet could be secured fairly well and if it gained any popularity would put pressure on browser makers to deliver better solutions.


That's also true of C with an auto-update framework. That's also true of closed-source C.

There are plenty of ways to avoid that particular trap of JS crypto (or more specifically web crypto). Bundling it inside an extension comes to mind.

All that said, I'm not even convinced this attack is within the threat model of Redditcoin, given that it's resources for a specific website that is also the JS origin.


That's not really the case - yes, crypto in the browser is possibly nonsense, but crypto under e.g. Node.js is anything but.


We're not talking about client-side javascript, are we? I assumed he meant node.js/server side.


Yes exactly. I think people who are not whatsoever involved in the javascript world assume that javscript means "delivered by a webserver", which is just not necessarily true.


For what it's worth, I (the acuser) am super familiar with JavaScript, I just thought you were making a web app. Sorry to cause confusion.


> JavaScript crypto is nonsense

What makes you think this?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: