Is javascript cryptographically secure?
JavaScript cryptography is hard but not impossible. If you are new to this topic you can have a look at the articles from Thomas Ptacek or Nate Lawson.
The main issue has to do with being able to securely distribute and maintain the integrity of the code in charge of the cryptographic operations, as well as setting up a cryptographically secure random number generator. Currently, the recommendation to solve these problems is to use a browser extension. Passbolt follows this recommendation.
The other issue has to do with the quality of the javascript implementation of the cryptographic functionalities and the fact that JavaScript has its fair share of pitfalls. This is true for any programming languages and can only be addressed through careful code review. Passbolt uses OpenPGP.js for its cryptographic functionalities which have been reviewed multiple times by Cure53.
Organizing more regular independent 3rd party audits is one of our main priorities. We need your support to be able to organize them.
Not finding what you are looking for? You can also ask the community on the forum.
Talk to a humanOther frequently asked questions in the same category
- How can I report a security vulnerability?
- What data is encrypted in passbolt?
- What kind of encryption does passbolt use?
- How does authentication work in passbolt?
- Is javascript cryptographically secure?
- Is open source software less secure?
- Does passbolt support revocation certificates?
- How are public keys trusted?
- What is the security token?
- How can I change my passphrase?
- My secret key and passphrase are compromised, what do I do?
- How to extend a user expired key
- Is it secure to use passbolt?
- Has the code been reviewed?