> Neat attack. TL;DR: A "non-exportable" finite field Diffie-Hellman private key can be extracted because the key object isn't bound to specific group parameters. XSS the site, do some operations with deliberately weak group parameters, solve for key.
The basic idea is that public keys need to be exchanged to perform encryption from one end and decryption at another end. An example is encrypting with the remote users public key and they decrypt with their stored private key. It’s complicated though because you don’t want to exchange the public keys without restrictions where they can be obtained by unauthorized parties or disseminated without your consent. You also may not trust the distant end. That is why you have stuff like DH and key escrow.
Yours is at best a terribly muddled description. Public keys are _public_ and we don't care if they're "Obtained by unauthorized parties" or "Disseminaated without your consent". That's what _public_ means.
The specific issue here is that the WebCrypto API is supposed to be protected against XSS. So if your code has a private key P and it turns out a bug in your site means bad guys can run whatever they want inside the VM where P is stored, they can't discover P. A bug in Firefox meant that it was actually possible to modify P and then do operations which have the effect of revealing it without undoing the virtual machine's protection for the actual value of P.
It's maybe hard to come up with concrete scenarios where this is a problem (which will be why it was so easy for Firefox to just remove it from the current version) but on the other hand it's also really hard to come up with concrete scenarios where WebCrypto was the Right Thing anyway so this is certainly not a point against WebCrypto sceptics like HN's Thomas Ptacek.
> The basic idea is that public keys need to be exchanged to perform encryption from one end and decryption at another end. An example is encrypting with the remote users public key and they decrypt with their stored private key. It’s complicated though because you don’t want to exchange the public keys without restrictions where they can be obtained by unauthorized parties or disseminated without your consent. You also may not trust the distant end.
This is acdtually not true. You completely mixed up asymmetric with symmetric encryption.
The former is also known as private-public key encryption and doesn't require DH, because each party has their own private key which doesn't get shared and a public key which does get shared, namely publicly, so no reason to use DH. This is what RSA is.
The latter is conventional encryption which uses a single private key which must be shared between two parties over an insecure channel. Before you establish a secure channel via encryption you must first exchange the secret piece of information that allows both sides to decrypt a cipher message. That exchange therefore happens over an insecure channel, which is a problem. DH is an algorithm which allows a secure exchange of a private message over a public/insecure channel.
> Neat attack. TL;DR: A "non-exportable" finite field Diffie-Hellman private key can be extracted because the key object isn't bound to specific group parameters. XSS the site, do some operations with deliberately weak group parameters, solve for key.