8

I wrote a little webapp for secure message transfer to learn more about encryption, and wanted to show it to my friends and let them play with it a little, so I hosted it on my little server, and was shocked to find that the Web Crypto API (which I worked my ass off to get to work because it is not very specific in its error messages) REQUIRES SSL ( kinda defeats the purpouse of implementing your own encryption scheme in browsers)!

I already have another API running on that server with SSL, but instead of merging them I wanted to ask: Is there a way to circumvent the secure socket requirement of Web Crypto API, or is there another library out there which allows me to use the same or similar functions in a non-secure context?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Nicolai Veliki
  • 139
  • 1
  • 5
  • Webcrypto is a browser API. In what way does it *require* SSL, or for that matter even a network connection? – President James K. Polk Dec 29 '19 at 17:14
  • @James Reinstate Monica Polk technically, you are right, but the site needs to be served in a secure context for most browsers (the most used ones) to allow the usage of the API. This is either localhost, which is how I tested it, or SSL. Since I pushed it to my server for everyone to use (and my friends to play with), it does require SSL in this sense – Nicolai Veliki Dec 29 '19 at 18:14

2 Answers2

7

The WebCrypto API specification(https://www.w3.org/TR/WebCryptoAPI/ ) does not restrict to SSL, but browser implementations require a "secure origin"

For example, Chrome requires https , wss, localhost or an extension. See https://stackoverflow.com/a/46671627/6371459

You would need to set up a SSL connection in order to use webcrypto. If you want to use another library (forge, pki.js, etc.) you will not have this restriction, although it is advisable to use SSL / TLS when using cryptography.

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • 1
    PKIjs, which is listed in the above, otherwise excellent answer, implements no crypto and therefore has the same origin restrictions as WebCrypto it is built on it. – rmhrisk Jan 24 '20 at 23:40
  • I would also add that using crypto in the context of a browser without authenticating the origin of the application and protecting the transfer of the site to the client is fruitless. This is not a web crypto limitation but one of the web security model. – rmhrisk Jan 24 '20 at 23:41
  • @pedrofb can you please tell me how to use forge library to implement the functionality of window.crypto.subtle.importKey. because I do not have https connection – Satya Dev Yadav Jul 21 '21 at 08:01
  • @SatyaDevYadav, look in the documentation for "privateKeyFromPem" https://github.com/digitalbazaar/forge#pkcs8. Post a new question if you have specific doubts – pedrofb Jul 21 '21 at 14:40
  • @pedrofb Sir I posted a new question, can you check and guide me. Here is the link https://stackoverflow.com/questions/68479744/cannot-read-property-importkey-of-undefined-web-crypto-api-without-ssl – Satya Dev Yadav Jul 22 '21 at 06:00
0

Although I haven't tried this, you could use a shim.
https://github.com/vibornoff/webcrypto-shim
A shim is a javascript file that does the same thing as the built-in method. It's used for older browsers that don't support the new methods.

Russell Hankins
  • 1,196
  • 9
  • 17