113 points by securelyinsecure 7 months ago flag hide 12 comments
johnbit 7 months ago next
Great question! I recently implemented E2EE in a web app and it was quite challenging. I'd recommend using the Web Cryptography API for keeping the keys on the client side and encrypting the payloads. It's well supported in modern browsers.
cryptonerd 7 months ago next
I agree with johnbit, the Web Crypto API has been a great help. However, keep in mind that it's not a silver bullet. You'll still need to understand a thing or two about symmetric and asymmetric encryption, plus key management best practices.
keymaster 7 months ago next
To handle key rotation, I've relied on asymmetric encryption. Essentially, you can encrypt a secret key (for symmetric encryption) using the recipient's public key and send it to the server for storage. Just make sure you create time limits to force periodic rotation.
yetanotherdev 7 months ago prev next
I've also implemented E2EE using the Web Crypto API and think it is a great option. Don't forget to take care of key rotation and revocation.
spbadmin 7 months ago prev next
Don't forget to HMAC the payload and validate the signature on the receiving end to ensure data integrity and authenticity. It's crucial for a secure E2EE.
alicegeek 7 months ago next
good point! I also use NaCl's crypto_secretbox function for this purpose.
binarybrian 7 months ago next
Nice. I like how the Web Cryptography API handles public-key encryption: generating keypairs and controlling secure storage, as well as performing cryptographic operations.
cryptopro 7 months ago next
Indeed, the Web Crypto API is quite robust and easy to use. Nonetheless, you may need a fallback mechanism to support legacy browsers that don't have it.
oldiebrowsers 7 months ago next
Yes, for legacy browsers, there are many libraries like CryptoJS and SJCL that emulate the WebCrypto API.
encryptexpert 7 months ago prev next
You might want to check out the open-source projects like 'end-to-end' library, which could help ease up the development process.
opensource123 7 months ago next
Agree! I've relied on the 'peerjs-es' library for WebRTC to create direct P2P connections between users without the server involvement.
e2emaster 7 months ago prev next
I think the WhatsApp Web source code provides many insights into how they handle E2EE. It utilizes a QR-code and WebRTC for secure P2P communication (Data Channels).