Help Search

Is javascript cryptographically secure?

Javascript cryptography is hard but not impossible. If you are new to this topic you can have a look at the articles from Thomas Ptacek or Nate Lawson.

The main issue has to do with being able to securely distribute and maintain the integrity of the code in charge of the cryptographic operations, as well as setting up a cryptographically secure random number generator. Currently, the recommendation to solve these problems is to use a browser extension. Passbolt follows this recommendation.

The other issue has to do with the quality of the javascript implementation of the cryptographic functionalities and the fact that Javascript has its fair share of pitfalls. This is true for any programming languages and can only be addressed through careful code review. Passbolt uses OpenPGP.js for its cryptographic functionalities which have been reviewed multiple times by Cure53.

Organizing more regular independent 3rd party audits is one of our main priorities. We need your support to be able to organize them.

Not finding what you are looking for? You can also ask the community on the forum.

Talk to a human