So, hopefully without shooting my mouth off (this time), here are some lessons I have been learning (the hard way) about SJCL:<p>* The SJCL library appears to be really great. It is super simple to use and has great documentation. Dan Boneh has a reputation that precedes him. I've been pointed in the direction of his work multiple times, independently, by different sources. [0]<p>* The SJCL library is only going to be as good as its implementation in the browser. For instance, how is it getting in the browser? Is it stored in an extension, or is it being loaded dynamically? If it is loaded dynamically, you are going to be vulnerable to a whole host of attacks, including cross-site and MITM. That aside, even if it is loaded dynamically and it gets there in one piece, is it loaded into the runtime securely? This last one is the real kicker for me. If you are implementing it as injected code onto a third party page, you are leaving it open to trivial manipulation by third parties. I was savaged by Nikcub for this, and rightly so. For embarrassing exchange, you can see my history.<p>* What is the threat model? Browser-based encryption is only ever going to deal with certain threat models - as we are seeing in the recent days, there is good reason to assume that end-point security on a host of devices may be compromised by state actors. Please note <i>I am not declaring this to be the case</i> based on my authority - but it seems like in a world where we are getting leaks off of handsets prior to encryption by Signal and Whatsapp, assuming end-points are secure is a big assumption. Additionally, I know the wikileaks Vault7 only list compromises up to Chrome ~35 and for Android below Kitkat [1], I've read this list is likely dated, and I don't think it is fair to assume that the development of zero days has stopped there. Accordingly, if you are trying to prevent intrusion from state actors, then there is reason to suspect that browser-based implementation will never get you there.<p>* Key generation and exchange remains an issue. Lots of people more qualified than I state that javascript RNGs are just not that great, which can significantly reduce entropy on keys. [2] On top of this, I want to talk about entropy more at length, in particular reference to SJCL: SJCL goes to some length to create 'random' (I personally cannot verify this) salts and initialization vectors. However, as far as I can tell, you have two choices: you either store those separately and transmit them separately from the message, which creates a whole host of issues in the transmission and storage of those salts, or you send them with the message. As far as I can tell, if you send them with the message, the extra entropy they introduce is not relevant for warding off brute force attacks or attacks based on trying to compromise the password (e.g. dictionary attacks), but are only useful against crib-based attacks or other cryptanalytic attacks - which, again, as far as I can tell, if you are going up against the sort of entity that has the resources to actually try and crack AES128 or AES256 by attacking the cipher, rather than the key, I suspect you are dealing with some very nasty people and using javascript crypto is not your best bet.<p>* Importantly, and critically, security is a conclusion, not a feature. Adding SJCL onto a communications protocol is not going to make it secure. In fact, it has been expressed by people better than me that that the author of software cannot self-authenticate that it is secure.[3] It needs to be subjected to third party (and, ideally, public scrutiny). So, in the end, if you are going to be using a library like SJCL, it is important to have the <i>particular implementation</i> tested by disinterested third parties. Though the math and code behind SJCL may be secure, actually getting it into a piece of software that people want to use introduces a gigantic raft of issues.<p>On background, the reason I know this as a (software) lawyer is because I have been working with SJCL on a node based application for quite some time. I do not represent it is secure - if I have in the past, that was in error and an oversight on my part (hat-tip to all the people on HN who have very rightly pointed this out). However, working on it has been extremely instructive and has confirmed what I always suspected to be true - if you want to be able to say something is secure, you need to be working with people who work on security as a primary occupation, not a hobby or a side-interest. It is too enormous, complex and ever-changing a field for anyone to be an 'expert' at it unless it is their primary concern.<p>As always, interested in any feedback or counterpoints. Especially on the math.<p>[0] <a href="http://crypto.stanford.edu/~dabo/" rel="nofollow">http://crypto.stanford.edu/~dabo/</a> ; <a href="https://www.linkedin.com/in/dan-boneh-8b599020/" rel="nofollow">https://www.linkedin.com/in/dan-boneh-8b599020/</a><p>[1] <a href="https://wikileaks.org/ciav7p1/cms/page_11629096.html" rel="nofollow">https://wikileaks.org/ciav7p1/cms/page_11629096.html</a><p>[2] <a href="http://stackoverflow.com/questions/17280390/can-local-storage-ever-be-considered-secure/24677597#24677597" rel="nofollow">http://stackoverflow.com/questions/17280390/can-local-storag...</a> - hat tip to <a href="https://news.ycombinator.com/user?id=bmh_ca" rel="nofollow">https://news.ycombinator.com/user?id=bmh_ca</a> , who, based on this thread, I have discovered was the author of that post on stackoverflow, which is instructive.<p>[3] <a href="https://www.schneier.com/blog/archives/2011/04/schneiers_law.html" rel="nofollow">https://www.schneier.com/blog/archives/2011/04/schneiers_law...</a>