I think this is counterproductive - transpiling and relying on emscripten to be cryptographically secure in not changing your code is the very definition of rolling your own crypto. How do you know that you're compiling the right things to js?<p>The post says they've taken a cursory look at emscripten to make sure it doesn't have "timing attacks" in one short sentence. This is exactly the kind of verification that requires an experienced and professional cryptanalyst to audit, examine, and finally confirm that emscripten -> js indeed doesn't expose the cryptographic algorithms to side channel attacks, or add additional weaknesses to the cryptography.<p>If the authors of the original post are not cryptographically confident enough to "roll their own crypto" how can they verify that their tool chain is secure?<p>Don't roll your own crypto, especially in using tools that haven't been verified to be used in crypto by cryptanalysis.
It is super weird to see new code using Skein; doing that almost by definition implies you're rolling your own crypto (which has more to do with how you connect crypto primitives than which primitives you choose), but it's never made clear in this post exactly what they're doing with it.
Any reason for not to use the WebCryptoAPIs?<p><a href="https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API" rel="nofollow">https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_...</a>
For reference, an open source library using a similar approach (crytpo + asm.js):
<a href="https://github.com/vibornoff/asmcrypto.js/" rel="nofollow">https://github.com/vibornoff/asmcrypto.js/</a><p>Looks like the asmcrypto's speed boosts are pretty high relative to SJCL and CryptoJS. Granted, this article's approach is transpiles C->JS, not sure what the implications are there in terms of performance.
Interesting to see that other projects also consider client side Crypto possible by calling server side macros. Well done!<p>This is my project where I do it too : <a href="https://github.com/zubairq/coils" rel="nofollow">https://github.com/zubairq/coils</a>
I wonder if many of our security issues are not due to poorly written software, and a big part of that is accumulating layers of cruft in exactly this sort of way.<p>I would certainly write my own crypto (but not design my own encryption scheme!) before using such a heavyweight solution. Implementing crypto might be hard, but common, not harder than building a compiler.