explaingit

bitwiseshiftleft/sjcl

7,219JavaScriptAudience · developerComplexity · 2/5Setup · easy

TLDR

A deprecated JavaScript cryptography library originally built at Stanford University for in-browser encryption and key generation, upgrade existing installs to version 1.0.9 to patch a critical ECDH private-key vulnerability, then migrate to a modern alternative.

Mindmap

mindmap
  root((sjcl))
    What it does
      Encrypt data
      Generate keys
      Key exchange
    Status
      Deprecated
      Final patch 1.0.9
    Security Fix
      ECDH vulnerability
      Upgrade existing apps
    Audience
      Existing users
      Migration reference
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Upgrade an existing app that uses SJCL to version 1.0.9 to patch the ECDH private-key recovery vulnerability.

USE CASE 2

Reference the historical in-browser cryptography approach before the Web Crypto API was widely available.

Tech stack

JavaScript

Getting it running

Difficulty · easy Time to first run · 30min

Deprecated, no active maintenance, use only to apply the final 1.0.9 security patch on existing projects before migrating away.

In plain English

SJCL stands for Stanford Javascript Crypto Library. It is a JavaScript library that was originally built at Stanford University to provide cryptographic tools you can use directly in a web browser or JavaScript application. Cryptography here means things like encrypting data, generating secure keys, and performing mathematical operations that keep information private. The library is officially deprecated, meaning the authors have stopped maintaining it and do not recommend using it in new projects. The README is explicit: if you are starting something new, look elsewhere for a more modern alternative. The only reason the project still exists on GitHub is historical reference and to distribute a final security fix. That security fix matters. A researcher discovered a serious vulnerability in the part of the library that handles a key-exchange method called ECDH. An attacker who could send specially crafted inputs to your application could potentially recover your private key, which would break the confidentiality of anything protected by it. This flaw was patched in version 1.0.9, which is the last release. If you are running any older version of SJCL in an existing application, upgrading to 1.0.9 is the only safe course of action. Past versions of the library also changed how a base-32 text encoding worked in version 1.0.4. The encoding alphabet was updated to match a formal standard, and data encoded with the old format needs to be decoded with a different codec name going forward. These details matter only if you have existing data produced by older versions. In short, SJCL is a closed chapter. It served as a usable in-browser cryptography option before the modern Web Crypto API was widely available, but that era has passed. The repository stays up so existing users can access the final patched release and understand the history of changes.

Copy-paste prompts

Prompt 1
I have an existing app using SJCL for ECDH key exchange. How do I upgrade to version 1.0.9 to fix the vulnerability, and what modern Web Crypto API call should I migrate to afterward?
Prompt 2
My app uses SJCL base-32 encoding from before version 1.0.4. How do I decode that old-format data after upgrading to the new encoding alphabet?
Prompt 3
What are the modern in-browser alternatives to SJCL for symmetric encryption and key generation? Show a side-by-side comparison using the Web Crypto API.
Open on GitHub → Explain another repo

← bitwiseshiftleft on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.