Nostr Web Client

ECDSA nonce reuse strikes again—this time in a JavaScript library. 🚫

nostr:nprofile1qqsw3znfr6vdnxrujezjrhlkqqjlvpcqx79ys7gcph9mkjjsy7zsgygprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvqy2hwumn8ghj7mn0wd68ytndd9kx7afwd3hkcd62swf and nostr:nprofile1qqsvak4cr0jzaarahhn98a9602e94sa2xt8u9dnjac8cns86lzp0z0spz4mhxue69uhkummnw3ezummcw3ezuer9wchszythwden5te0dehhxarj9emkjmn99ulw5uvg discuss the dangers of using JavaScript for cryptography, the importance of type validation, and why libsecp is the gold standard for #Bitcoin security. [BR093]

https://m.primal.net/PpNP.mov

Reply to this note

Please Login to reply.

Discussion

bootlace 9mo ago

From Gemini deep research

...

In conclusion, the debate surrounding the suitability of JavaScript for security-sensitive development is multifaceted.

The elliptic vulnerability serves as a significant reminder of the potential risks involved in cryptographic _implementations_. (Emphasis mine)

However, it should not lead to an outright rejection of JavaScript. Instead, it should foster a more informed and cautious approach, emphasizing the critical role of secure development practices and the continuous need for vigilance in the ever-evolving field of cybersecurity.

The choice of programming language for security-sensitive applications should be a carefully considered decision based on a thorough understanding of the specific security requirements, the capabilities and limitations of the language, and the expertise of the development team.

Rob Hamilton 9mo ago

lol, llm slop. The ECC code is orders of magnitude less meaningful code review than the canonical bitcoin core implementation