The South West may not always be recognised for its technical ability and talent but TechExeter certainly put pay to this on Wednesday (11th September 2019).
The annual event took place for the 4th year and welcomed over 180 attendees. Offering a variety of workshops and key speakers the topics were sure to tempt and whet the appetite of any true techie, making it a ‘go-to’ event in the South West.
Jon Stace, Director of Technology at Software Solved was one of the key speakers at the event covering the topic of ‘Using the web cryptography API in PWAS/SPAS’.
You can download his full presentation from SlideShare or, get a top-level overview of the content of his presentation below.
A growing need to encrypt
There is no question that there has been and continues to be a rise in the use of Single Page Applications (SPAs) and Progressive Web Applications (PWAs) with it bringing an increase in the probability of attacks.
Unlike data in transit which is secured by means such as HTTPS, SPAs and PWAs have bought with them new challenges and the need to implement multiple layers of protection at the browser level. This is where using the Web Cryptography API comes in to play.
What are the options?
There is no ‘one size fits all’ solution for minimising risk and the use of multiple layers of security working together is crucial.
There have been a number of JavaScript options created in the past many of which have come with risks meaning they weren’t truly fit for purpose, risks have included; the inherent malleability of JavaScript, the lack of a secure random number generator or the provision of a secure keystore.
Then followed the Web Cryptography API which addressed many of these risks. The chart below shows the support for Web Cryptography API across various web browsers.
As you can see, IE is the only popular browser where compatibility is not high but with this browser not supporting offline capabilities, it is unlikely SPAs and PWAs would be developed for use in these browsers.
Are there still risks even when using this API?
The simple answer is yes. Here are a few reasons why…
- The API is considered a ‘subtle’ API
- It is a low level API that still requires considerable effort by a developer to enable it to work as effectively as possible
- It remains reliant on the browsers own security implementation of this API, and protections from attacks such as cross tab browsing attacks
- It does not work in old browsers
Although to some this list may seem reason to steer well clear of the web cryptography API, this should not be the case. Ultimately it is important to remember that this would be just one of many layers of security used to reduce the risk of PWAs and SPAs being attacked.
Jon Stace said of the event:
“Events such as this are such an important part of highlighting the plethora of technical talent and expertise that exists in the South West. It was a great honour to be a part of the event and support the amazing work that TechExeter as an organisation do.
It also enabled us to provide our own team of developers the opportunity to attend the event, share experiences with peers and listen to a wide variety of topics and insights provided by the range of talented speakers.”