Migrate from using crypto-js to the native browser crypto API #99
Description
Hello, I received a Critical Severity alert today from the crypto-js NPM package. I am sure you probably did as well, it stated that:
crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standardI don't think lnc-web uses that algorithm but it is still concerning. So I checked out the repository for crypto-js and it seems that it is now deprecated. You can see the notice here: https://github.com/brix/crypto-js#discontinued
Active development of CryptoJS has been discontinued. This library is no longer maintained.
Nowadays, NodeJS and modern browsers have a native Crypto module. The latest version of CryptoJS already uses the native Crypto module for random number generation, since Math.random() is not crypto-safe. Further development of CryptoJS would result in it only being a wrapper of native Crypto. Therefore, development and maintenance has been discontinued, it is time to go for the native crypto module.I think it would be a good idea for lnc-web to migrate away from this deprecated library ASAP. Even if the cryptography used by lnc-web from the crypto-js module is still considered secure, something as critical to security as this should be using the latest and greatest. The browser native crypto API is pretty good now so I don't think the migration should be too hard, but I haven't taken a full look at how everything works under the hood with lnc-web yet either.
https://developer.mozilla.org/en-US/docs/Web/API/Crypto
Please let me know your thoughts on this, thanks!