Moving Beyond the NPM elliptic Package
If you're in a hurry, head on over to soatok/elliptic-to-noble and follow the instructions in the README in order to remove the elliptic package from your project and all dependencies in node_modules. Art: CMYKat Why replace the elliptic package? Yesterday, the Trail of Bits blog published an intern's post about finding cryptographic bugs in the elliptic library (a Javascript package on NPM) by using the Wycheproof.
2015: "Not using AWS or CloudFlare is an availability risk, because DDoS"
2025: "Using AWS or CloudFlare is an availability risk, because surprise outages"
I know it will take time, but the Fediverse developers should strongly consider making the following opinionated technical decisions:<li>Use RFC 9421 instead of the earlier HTTP Signature spec.</li><li>Make Ed25519 the default algorithm, not 2048-bit RSA.</li>
Ed25519 has a lot of advantages over RSA and ECDSA.
Over 2048-bit RSA:<li>Shorter signatures</li><li>Shorter keys (both secret and public), less storage/bandwidth overhead</li><li>More security (112-bit vs 126-bit)</li>
Over ECDSA:<li>It's much faster than ECDSA</li><li>You don't have to worry about biased nonces leaking your secret key through lattice reduction</li><li>Tuned for security (no weird parameters)</li>
Over **both RSA and ECDSA**:<li>EdDSA is constructed to provide Exclusive Ownership, which is a stronger notion of security</li><li>Easier to implement in constant-time</li>
Bonus:<li>Ed25519 is approved for use in FedRAMP systems (FIPS 186-5), which Common Criteria sometimes cares about.</li>
See more here:
Does anyone have an Ed25519 public key configured to show up via WebFinger for their Fedi account?
I know Mastodon stupidly only supports RSA. That's a thing I plan to fix eventually.
