The Signal protocol for Node and browsers

&gt; At the end of the day, window.crypto can be absolutely anything. ... If you must run the signal protocol in-browser, run it in Electron, or as a Chrome app ... At the end of the day, window.crypto can be absolutely anything. If we can bundle all primitives with the rest of the application code, we can verify the integrity of that one JS bundle<p>If the attacker is running code within the same javascript context, within the browser&#x27;s process, or within the user&#x27;s operating system kernel... then you&#x27;re hosed. Anything can be anything. Other javascript within the same context could redefine global functions, intercept objects passed through them, and mutate function references in your JS bundle. Or it could just log the DOM! A browser plugin or a kernel rootkit can keylog the user. The only defense an application has against the user&#x27;s own machine being compromised is obfuscation, and that&#x27;s a losing battle.<p>There are real issues with doing cryptography with users&#x27; keys in web pages, but it&#x27;s not &quot;their machine might be compromised&quot; (and Electron doesn&#x27;t solve that anyway). Even if the page javascript correctly stores user keys in localStorage where the server can&#x27;t see them, nothing stops the server from serving you some backdoored javascript tomorrow which silently uploads your localStorage to the server. This might be correctly solvable with ServiceWorkers, though you&#x27;d want users to have some way to verify that they have the correct and peer-reviewed ServiceWorker source running. The easiest way to do that would be some kind of local application or browser plugin, but then at that point that you&#x27;ve involved a local application you&#x27;ve missed some of the original goal at keeping it all in a browser, and it would probably be easier for everyone involved if the crypto just happened in the local application to begin with.<p>Interestingly, some `window.crypto` functions actually solve some of the problems with running cryptography in web pages. You can create and use a crypto key that is handled by the browser and never has its key material exposed to javascript. Even if an attacker injects javascript into the page or the server serves malicious javascript the next day, there&#x27;s no way to steal the key material. `window.crypto` can effectively provide a virtual HSM from the web page&#x27;s perspective.

Olm, the ratcheting algorithm used by matrix.org <a href="https:&#x2F;&#x2F;matrix.org&#x2F;git&#x2F;olm&#x2F;about&#x2F;" rel="nofollow">https:&#x2F;&#x2F;matrix.org&#x2F;git&#x2F;olm&#x2F;about&#x2F;</a> is also worth mentioning.

I love that hack:<p>module.exports = Module;<p>&#x2F;&#x2F; Do not recurse into module and waste all day Module.inspect = function() { return &#x27;[Module]&#x27; }<p>from <a href="https:&#x2F;&#x2F;github.com&#x2F;fabiosantoscode&#x2F;require-emscripten&#x2F;blob&#x2F;master&#x2F;post-js.postjs" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;fabiosantoscode&#x2F;require-emscripten&#x2F;blob&#x2F;m...</a>

&gt; Where TLS can provide an encrypted channel for convincing the user they are talking to the right server, Signal can convince the server it is talking to the right user - and that it is the same user that we spoke to last time.<p>Same thing can be done with TLS. It&#x27;s called session resumption.

&gt; At the end of the day, window.crypto can be absolutely anything.<p>Would it be possible to toString() the function and check if it is a native function before execution? Seems like a simple solution but perhaps I&#x27;m missing something? I guess in theory the toString() method could also be hijacked. :-&#x2F;