Ask HN: Does wasm or web crypto api help web app crypto?
Web assembly is a very promising idea and has a chance to provide better means for building security into web apps than SJCL/etc by enforcing same origin policy, sandboxing execution, being able to limit side-channel attacks, etc. Similarly promising is Web Crypto API: better primitives, consistent across browsers. My question is: will it even help, given that end-user interaction is still in DOM, attackers can still inject the code that overrides calls to better implementations of ciphers? Or I'm missing something in the threat model of both? I think I don't fully understand your challenge as stated, so I'm perhaps not able to give the response you're looking for. With that said, let's take the way that Netflix implemented DRM via web crypto and encrypted media extensions. Assuming that an attacker is in a position to inject arbitrary code in the browser's execution, the attacker still cannot bypass the server-side implementation (otherwise it wouldn't be DRM). Unless there is an exploitable weakness in the cryptosystem on the client-side that can be meaningfully chained to the server-side, you need to control both areas of execution to break the crypto involved. When you say "override calls to better ciphers", do you mean something like a downgrade attack, such as in TLS? It's true that you could masquerade the client as a device that is only capable of using a vulnerable type of encryption, but in that scenario the server-side can simply choose to not support it. In fact (again using Netflix as an example), it is more or less a requirement of these cryptosystems that the algorithm's work be distributed between a client and a server for exactly this reason. If what you're talking about is more of a situation where a rogue software gains access to the DOM while you're using web crypto to have an OTR-encrypted, browser-based conversation with someone else, and they use your secret key in execution to decrypt the other parties' messages: sure. But I'm not sure what's special about that versus client-side takeover of any other cryptosystem. You could just as easily take over Signal on a jailbroken iPhone.