The long and winding road to safe browser-based cryptography

- The Latest
  Regular reporting on government secrecy, surveillance, and the rights of reporters and whistleblowers.
  - On the Issues
  - News Releases
- Technology
  Working open source software products to protect journalists, newsrooms, and their sources.
  - SecureDrop
  - Dangerzone
- U.S. Press Freedom Tracker
  A database of press freedom incidents in the United States.
  - Data visualizations
  - Explore the database
- Digital Security Education
  Digital security trainings and resources for journalists.
  - Request a Training
  - Guides & Resources
- About Us
  Protecting and defending press freedom when we need it the most.
- Our Team
  - Staff & Contributors
  - Board of Directors
- Transparency
  - Reports & Financials
  - Announcements
- Get in Touch
  - Jobs & Internships
  - Contact Us
Donate

Browser-based cryptography has struggled with a longstanding chicken-and-egg problem that predates many features of the modern web, and while some of those features have reduced the problem’s severity, the issue remains: What is the basis for trusting the code that performs browser-based encryption?

This question applies to popular web applications such as WhatsApp Web, Proton Mail, and Tuta, as well as to browser-based collaboration suites, crypto wallets — and of course, whistleblowing platforms. As part of our work toward a redesigned SecureDrop, we review the problem of browser-based cryptography and introduce the design requirements that are shaping our work in this area.

To read more about a problem that is legally old enough for a learner’s permit in several U.S. states, read the full article here.

Get Notified. Take Action