from Hacker News

Show HN: Storing Private Keys in the Browser Securely

by jwally on 4/23/24, 7:02 PM with 14 comments

So the main purpose here is to show _a_ way that session-token theft can be mitigated. Clearly, this isn't NSA proof or something you'd use to secure a BL5 containment facility, but to prevent session-jacking; if feels like it could help a lot, and would be pretty quick and easy to roll out if an IDP wanted to implement it.

  • by xori on 4/24/24, 2:45 PM

    so I don't fully understand what you're preventing

        const db = await openDatabase();
    const keyPair = await getKeyPair(db);
    await crypto.subtle.exportKey("jwk", keyPair.privateKey)
    exports the private key if I have a XSS vuln.

    The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?

  • by throwaway888abc on 4/23/24, 7:16 PM

    Hat off, You made it! After reading and skimming Show HN: Device-Bound Session Tokens in JavaScript ( https://news.ycombinator.com/item?id=40052684 ) I had "same" idea to explore PoC, but never done. Thanks!