WebCrypto is locked up in non secure pages (not loaded from HTTPS)

[daviddias]

After seeing reports on js-ipfs:

• https://github.com/ipfs/js-ipfs/issues/964
• https://github.com/ipfs/js-ipfs/issues/963

I went to investigate to find this https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/DtOFo51WFMo

It seems that WebCrypto does require a secure context to run and that is not granted in non HTTPS loaded pages. It has an exception for localhost though.

We have a couple of options here:

• a) Accept and notify the users that they should use SSL to load their webpages
• b) Shim all the libraries for when WebCrypto is not available

I prefer option 2, although it will bloat the size of the bundle (again)..

[dignifiedquire]

wow webcrypto gets worse with every thing I learn about it. This is incredible..

[dignifiedquire]

I have some ideas on alternatives, will update here after some experiments

[dignifiedquire]

In the short term we should adding a warning in any case as the current releases all have this issue

[dignifiedquire]

I am making good progress with my experiments of using asmcrypto.js. Speedwise it looks pretty good and I believe it has everything we need.

[mitra42]

@dignifiedquire - have you looked at Libsodium ? We've been using that in JS.

[dignifiedquire]

@mitra42 I haven't given it a thorough try yet as we need more than it provides, but I will recheck again what we can use from it, thanks for the reminder

[daviddias]

libsodium is great but it exists in its own universe of crypto, the djb universe. We need to support what go-ipfs does and that means that libsodium isn't enough.

[Kubuxu]

Yes, libsodium is an implementation of what NaCl established in this space so it won't be sufficient.