How web browsers and WebCrypto API protects secrets

John

7/17/23, 10:12 AM

I tried to search and take a look at a way to securely generate or import secret keys on client-side. First I tried to see if it is possible to take advantage of TPM in Windows but as far as I understood it is not possible to use it. So as far as I got the correct way to deal with encryption keys was using Web Crypto API. I figured out that it uses IndexedDB to store the keys. I truly want to know how these keys are being protected from getting extracted if imported. I know that you need to set extractable property of the Key to false but does it take advantage of TPM or any hardware module to protect keys or just software based protection? BTW I read how KeyStore protects keys so I wonder if for web applications we have such an alternative.

0 + 0

encryption

keys

secure-storage

tpm

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How web browsers and WebCrypto API protects secrets

TH: เว็บเบราว์เซอร์และ WebCrypto API ปกป้องความลับอย่างไร

RO: Cum protejează browserele web și API-ul WebCrypto secretele

RU: Как веб-браузеры и WebCrypto API защищают секреты

VI: Cách trình duyệt web và API WebCrypto bảo vệ bí mật

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.