Web Crypto API without ssl

Asked 29/12, 2019 at 13:50 Answered 28/4 at 3:46

javascript ssl cryptography webcrypto-api secure-context

I wrote a little webapp for secure message transfer to learn more about encryption, and wanted to show it to my friends and let them play with it a little, so I hosted it on my little server, and was shocked to find that the Web Crypto API (which I worked my ass off to get to work because it is not very specific in its error messages) REQUIRES SSL ( kinda defeats the purpouse of implementing your own encryption scheme in browsers)!

I already have another API running on that server with SSL, but instead of merging them I wanted to ask: Is there a way to circumvent the secure socket requirement of Web Crypto API, or is there another library out there which allows me to use the same or similar functions in a non-secure context?

Jasik answered 29/12, 2019 at 13:50 Comment(2)

Webcrypto is a browser API. In what way does it require SSL, or for that matter even a network connection? – Hyperion 29/12, 2019 at 17:14

@James Reinstate Monica Polk technically, you are right, but the site needs to be served in a secure context for most browsers (the most used ones) to allow the usage of the API. This is either localhost, which is how I tested it, or SSL. Since I pushed it to my server for everyone to use (and my friends to play with), it does require SSL in this sense – Jasik 29/12, 2019 at 18:14

The WebCrypto API specification(https://www.w3.org/TR/WebCryptoAPI/ ) does not restrict to SSL, but browser implementations require a "secure origin"

For example, Chrome requires https , wss, localhost or an extension. See https://mcmap.net/q/25292/-how-to-enable-crypto-subtle-for-unsecure-origins-in-chrome

You would need to set up a SSL connection in order to use webcrypto. If you want to use another library (forge, pki.js, etc.) you will not have this restriction, although it is advisable to use SSL / TLS when using cryptography.

Almazan answered 30/12, 2019 at 16:14 Comment(5)

PKIjs, which is listed in the above, otherwise excellent answer, implements no crypto and therefore has the same origin restrictions as WebCrypto it is built on it. – Jephthah 24/1, 2020 at 23:40

I would also add that using crypto in the context of a browser without authenticating the origin of the application and protecting the transfer of the site to the client is fruitless. This is not a web crypto limitation but one of the web security model. – Jephthah 24/1, 2020 at 23:41

@Almazan can you please tell me how to use forge library to implement the functionality of window.crypto.subtle.importKey. because I do not have https connection – Stately 21/7, 2021 at 8:1

@SatyaDevYadav, look in the documentation for "privateKeyFromPem" github.com/digitalbazaar/forge#pkcs8. Post a new question if you have specific doubts – Almazan 21/7, 2021 at 14:40

@Almazan Sir I posted a new question, can you check and guide me. Here is the link #68480244 – Stately 22/7, 2021 at 6:0

There is a way to enable the Web Crypto API for insecure origins in Chrome settings.

Go to chrome://flags/#unsafely-treat-insecure-origin-as-secure.
Add the origin which you want to treat as secure i.e., http://example.com:8080.
Relaunch Chrome.
Verify by visiting http://example.com:8080 and typing crypto.subtle in the DevTools Console.

Safire answered 28/4 at 3:46 Comment(0)

Recommended topics

Hot tags