web browser javascript key generation and related brain disorders

["Jason A. Donenfeld" <Jason@zx2c4.com>]

Hi everyone,

Some people have been asking me about delivering configurations to
users in the web browser. I usually try to keep sensitive crypto out
of the browser, and I don't really approve of JavaScript crypto, but
it struck me that in the absence of something better, commercial
providers might be tempted to generate private keys server side using
random(3) and send them to their poor users.

To preempt this mistake, I made this example code:
https://git.zx2c4.com/WireGuard/tree/contrib/examples/keygen-html

It generates a private key in the browser, makes a request to the
server with the corresponding public key, and then creates a
downloadable configuration file for the user. It's extremely simple.
It's certainly better than generating keys server side, though it does
come with these caveats:

- Curve25519, for deriving the public key, is compiled using
emscripten. Who knows what kind of code this actually generates, or
what all those optimization options wind up doing.
- explicit_bzero(3) isn't really a thing in JavaScript.
- You have to trust window.crypto.getRandomValues(). If you don't, you
could always hash together one block each of output from
window.crypto.getRandomValues() and some /dev/urandom data delivered
by the server. Or do that hilarious thing where you're asked to shake
your mouse around inside a box to "make some randomness", but please
don't actually do this; the 90s called and wants its DHTML snow flake
mouse trails back.
- JavaScript crypto is a pretty dubious proposition.

On the plus side, one could imagine some pretty easy-to-use
interfaces. Buttons like:

[Download .zip of configurations for all locations]
[Download .conf of us1] [Download .conf of nl1] [Download .conf of se1]

So, it's there now. Do with it what you will.

Regards,
Jason