In a recent WebKit blog post, Apple made a compelling argument for adopting some new coding standards for encryption. The technology behind those web pages we love to use is ever-evolving, but sometimes the trick is convincing developers to learn new ways of doing things. Let’s look at the argument Apple makes for adopting WebCrypto encryption, in easier-to-understand language.
What Is WebKit and WebCrypto Encryption?
WebKit, in short, is a mechanism for showing you those web pages you love in your browser. It powers Apple’s Safari web browser as well as Chromium-based browsers like Google Chrome and Opera.
Performance Increases Using WebCrypto
See the table below, demonstrating WebCrypto’s performance in AES-GCM encryption and decryption. The table also showcases how quickly SHA–2 can determine a file’s overall integrity the file is encrypted or decrypted.
This typically happens because a Trojan or other malware on the user’s computer injects the malicious code. I believe we may have seen examples of this with LastPass and LinkedIn, although those sites haven’t disclosed precisely how they were breached.
WebCrypto API: A More Secure Model
The fact that security and performance are better across the board with WebCrypto API should be enough to encourage developers to migrate their secure web apps. So, why haven’t more secure websites implemented the WebCrypto API?
These Things Take Time
Developing a secure interface for a transport medium (like the web) that is so inherently insecure takes loads of time and resources. Once they’ve completed the job, companies are reluctant to devote the time, energy, and money to do it over again.