Remove support for DH from WebCrypto API (not in spec)
Categories
(Core :: DOM: Web Crypto, task, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox72 | --- | fixed |
People
(Reporter: jcj, Assigned: jcj)
References
Details
(Keywords: site-compat)
Attachments
(1 file)
Bug 1034856 added support for DH algorithms to WebCrypto, however the final specification did not choose to include them, making Firefox the only browser with support.
Bug 1539578 added telemetry to show usage, and it is extremely low (not appearing on the graphs), which could be expected as Firefox is the only supporting browser.
Since DH is an ongoing maintenance burden -- and overall cryptanalysis of DH is progressing -- let's remove it.
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 1•6 years ago
|
||
Bug 1034856 added support for DH algorithms to WebCrypto, however the final
specification did not choose to include them, making Firefox the only browser
with support.
Bug 1539578 added telemetry to show usage, and it is extremely low (not
appearing on the graphs), which could be expected as Firefox is the only
supporting browser.
Since DH is an ongoing maintenance burden -- and overall cryptanalysis of DH
is progressing -- let's remove it.
Notice to unship went to dev-platform on 29 March 2019 with no objections. [0]
[0] https://groups.google.com/d/msg/mozilla.dev.platform/Ut3-eQmUdWg/O9w1et1aBgAJ
|
||
Comment 3•6 years ago
|
||
| bugherder | ||
|
|
||
Comment 4•6 years ago
|
||
Posted a site compatibility note for this.
|
||
Comment 5•6 years ago
|
||
Should this have been uplifted to the ESR, especially given:
https://blog.intothesymmetry.com/2020/01/the-curious-case-of-webcrypto-diffie.html
|
|
Assignee | |
Comment 6•6 years ago
|
||
I don't believe this warrants an uplift to ESR; one would have to go out of their way to build a WebCrypto application using FFDH, and then have that application be vulnerable to XSS. The full discussion of that is in Bug 1471684, which will likely be unhidden shortly.
Description
•