He credits the authors in his doc, but agreed on the warning - I am not a cryptographer, but my knowledge of side-channel attacks has me pretty worried that the RSA implementation is not safe.

Code that has been written and/or audited by cryptographers would qualify as 'real crypto.' I don't think anybody has a problem with someone putting together this package; the only problem is with the lack of a proper notice that the code hasn't been audited.

That's a fair point. The idea that it could be used "for demonstration purposes only", though, seems to go too far in that direction. It seems like a useful library, just not for organizing a coup.

Javascript cryptography is breakable by teenagers. The attacks don't require a government.

I would argue that rot13 is better than unencrypted, and that this is a step up from rot13. Sure, it's imperfect, but it's still better than nothing, and while I'm only a mediocre programmer, it appears to be easy-to-use, to boot. Better-than-nothing and easy-to-use seems like something more useful than "for demonstration purposes only", don't you think?

I am fine with stipulating that Javascript cryptography is approximately as good as rot13, and so we can move on.

The company I work for (who for obvious reasons I will refuse to mention) refuses to implement standard cryptographic practises in its product. Several months after starting there, and after a lot of loud complaining, I managed to get them to switch to using bcrypt instead of plaintext passwords in the backend database. Only in the next release are they switching to using TLS for logins, and even then sometimes defaulting to a clearly fucked Javascript implementation of cryptography to send the password (using public key crypto with global server key that only changes on server restart, with replay attacks galore).

The one thing I can say about the JS cryptography is that it normally protects somewhat against passive sniffing attacks, but when it's as broken as this, it doesn't even accomplish that task.

This sort of thing seems chronic in the industry, and it's dismaying.

And as we both know, the "passive sniffing attacker" is a myth. If you can sniff packets, you can intercept traffic. We don't reason about security mechanisms by tying the attackers hands behind their back.

But of course. Preaching to the choir.

Management made the decision that my trivial change to eliminate replay attacks was "too much effort". I am inclined to agree, since even with such a change the effort required to circumvent their entire so-called security is minimal.

Next quarter they're introducing e-commerce solutions. Dear god.

One might argue that, if an unnamed company's e-commerce solution would put a lot of people at risk, and an unnamed engineer can prove it, that unnamed engineer has an ethical obligation to discreetly report the vulnerability first to the unnamed company, then to successively more influential and more public venues (e.g. consumer protection groups, security research groups, etc.), until the company responds.

One might argue that such a course of action will simply get the engineer pointlessly fired.

Really? You can't concede that an implementation like this is better than rot13?

If you're in a position to intercept the traffic, then you can likely rewrite it. That includes the JS.

Sometimes plain text is safer. Otherwise people have the illusion of security.

Why do you say that? If properly implemented strong crypto is strong, regardless of the language.

See the link I posted elsewhere on the thread.