Reputation: 17430
Verifying Browserid Assertions in JavaScript with Web Cryptography API
Will the additions to JavaScript runtime environment in the web browser proposed in the Web Cryptography API allow us to securely verify browserid assertions in the browser with JavaScript?
Upvotes: 0
Views: 148
Answers (1)
Reputation: 660
You could already verify BrowserID assertions client-side in Javascript, but the problem is that you can't trust the client.
A user could for example run your code through a proxy server which alters the Javascript to always claim that assertions are valid. Unless you're doing server-side verification, your server code will be vulnerable to clients claiming that everything is fine when in fact the assertion is bogus.
No browser API will change the fact that as far as the server is concerned, you cannot rely on the client doing the right thing. The server needs to do that verification itself.
Upvotes: 2
Related Questions
- Accessing signing/encryption in a browser's Keystore using JavaScript - sample code? (WebCryptoAPI)
- How to verify a signed JWT with SubtleCrypto of the Web Crypto API?
- Javascript - key / certificate from USB Token
- Java sign/verify keys and Javascript WebCrypto verification fails
- Webcrypto API/algorithm to encrypt, decrypt and also sign, verify
- Web Cryptography API: Howto discover supported algorithms?
- Access keys from browser store using webcrypto api
- Is BrowserID secure?
- WebcryptoAPI - secure or not?
- Ways to check if the browser is authentic?