undefined | Better HN

0 pointsmike_hearn2y ago0 comments

Last time I used WebCrypto the implementation in Safari was buggy in subtle ways. It was possible to work around it. I filed bugs against Apple so maybe it's fixed now.

These days you can argue that a browser is intended to do anything, as there seems to be no scope limit to what goes into HTML5. But it's not what they're really about. Why did this exploit occur, well, WebCrypto apparently isn't directly exposed to WASM as C/C++ APIs even though that seems like an obvious thing to do. Or an even more obvious possibility: expose it as a subset of some existing API like POSIX. But WASM is api-lite, so everything beyond pure computation requires invoking JS and that's not how any existing C++ is written.

Eventually people will blast through this stuff. But, it was worked out in other platforms in the 80s and early 90s.

0 comments

nailer2y ago

> Last time I used WebCrypto the implementation in Safari was buggy in subtle ways.

Oh hell yes. I used maintain webcrypto code for a different job and yes Safari was broken forever. I don't have the codebase anymore (I sold the company in 2020) but we disabled keypair crypto features in Safari and told people to use a different browser. I believe it's since been fixed.

mike_hearnOP2y ago

Congrats on selling the company!

j / k navigate · click thread line to collapse