Hi HN! Author of the tool here. Just woke up to a few emails pointing me to this thread. Thanks for the interest and added eyeballs!
I'll answer some of the comments here and address the newly opened issues during the day. To answer a few questions that seem common skimming this thread:
* CBC vs GCM: we had a conversation regarding this topic where it seemed CBC weaknesses do not apply in StatiCrypt context. I'd love to hear your thoughts if you have any - issue is here[1].
* WebCrypto: I've been wanting to use WebCrypto instead of crypto-js for years now. It's been in my "Important but not urgent" bucket (since crypto-js should be secure too), the interface is different so I want to make sure I do it correctly and life happened, so I never got farther than drafts. Thank you for the PRs, I hope to get to it soon!
* "static" means no server-side logic (not no JS): I first made StatiCrypt to solve my own issue of wanting to password protect an html page I could host on a static file host (Netlify, Github pages...). The whole point is to not have a server or DB, so we can't use Basic auth etc.
* Iteration count for PBKDF2: will increase today
As I write in the FAQ[2] I do my best to implement things correctly but I'm not a cryptographer - any feedback to make the tool better or more secure is very welcome!
I'll answer some of the comments here and address the newly opened issues during the day. To answer a few questions that seem common skimming this thread:
* CBC vs GCM: we had a conversation regarding this topic where it seemed CBC weaknesses do not apply in StatiCrypt context. I'd love to hear your thoughts if you have any - issue is here[1].
* WebCrypto: I've been wanting to use WebCrypto instead of crypto-js for years now. It's been in my "Important but not urgent" bucket (since crypto-js should be secure too), the interface is different so I want to make sure I do it correctly and life happened, so I never got farther than drafts. Thank you for the PRs, I hope to get to it soon!
* "static" means no server-side logic (not no JS): I first made StatiCrypt to solve my own issue of wanting to password protect an html page I could host on a static file host (Netlify, Github pages...). The whole point is to not have a server or DB, so we can't use Basic auth etc.
* Iteration count for PBKDF2: will increase today
As I write in the FAQ[2] I do my best to implement things correctly but I'm not a cryptographer - any feedback to make the tool better or more secure is very welcome!
[1] https://github.com/robinmoisson/staticrypt/issues/19#issueco...
[2] https://github.com/robinmoisson/staticrypt#is-it-secure