Web Cryptography API: Prevalence and Possible Developer Mistakes

Abstract

In this paper, we analyze mistakes that web developers can make when using the Web Cryptography API. We evaluate the impact of the uncovered mistakes and discuss how they can be prevented. Furthermore, we derive best practices from these mistakes to provide guidance to developers. To assess the relevance of the Web Cryptography API, we empirically evaluate how prevalently it is used by popular web applications on the Internet and in GitHub repositories, finding that only a small proportion of web applications use it. The most widely used operation by far is the generation of cryptographically secure random values, which was not possible in browser-based JavaScript prior to the Web Cryptography API.