git404hub

what is sjcl fr?

bitwiseshiftleft/sjcl — explained in plain English

Analysis updated 2026-06-24

7,219JavaScriptAudience · developerComplexity · 2/5Setup · easy

tl;dr

A deprecated JavaScript cryptography library originally built at Stanford University for in-browser encryption and key generation, upgrade existing installs to version 1.0.9 to patch a critical ECDH private-key vulnerability, then migrate to a modern alternative.

vibe map

mindmap
  root((sjcl))
    What it does
      Encrypt data
      Generate keys
      Key exchange
    Status
      Deprecated
      Final patch 1.0.9
    Security Fix
      ECDH vulnerability
      Upgrade existing apps
    Audience
      Existing users
      Migration reference

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

what do people make with this?

VIBE 1

Upgrade an existing app that uses SJCL to version 1.0.9 to patch the ECDH private-key recovery vulnerability.

VIBE 2

Reference the historical in-browser cryptography approach before the Web Crypto API was widely available.

what's the stack?

JavaScript

how it stacks up fr

bitwiseshiftleft/sjclhashlips/hashlips_art_enginepostmanlabs/newman
Stars7,2197,2187,216
LanguageJavaScriptJavaScriptJavaScript
Setup difficultyeasyeasyeasy
Complexity2/52/52/5
Audiencedevelopergeneraldeveloper

Figures from each repo's GitHub metadata at analysis time.

how do i run it?

Difficulty · easy time til it works · 30min

Deprecated, no active maintenance, use only to apply the final 1.0.9 security patch on existing projects before migrating away.

in plain english

SJCL stands for Stanford Javascript Crypto Library. It is a JavaScript library that was originally built at Stanford University to provide cryptographic tools you can use directly in a web browser or JavaScript application. Cryptography here means things like encrypting data, generating secure keys, and performing mathematical operations that keep information private. The library is officially deprecated, meaning the authors have stopped maintaining it and do not recommend using it in new projects. The README is explicit: if you are starting something new, look elsewhere for a more modern alternative. The only reason the project still exists on GitHub is historical reference and to distribute a final security fix. That security fix matters. A researcher discovered a serious vulnerability in the part of the library that handles a key-exchange method called ECDH. An attacker who could send specially crafted inputs to your application could potentially recover your private key, which would break the confidentiality of anything protected by it. This flaw was patched in version 1.0.9, which is the last release. If you are running any older version of SJCL in an existing application, upgrading to 1.0.9 is the only safe course of action. Past versions of the library also changed how a base-32 text encoding worked in version 1.0.4. The encoding alphabet was updated to match a formal standard, and data encoded with the old format needs to be decoded with a different codec name going forward. These details matter only if you have existing data produced by older versions. In short, SJCL is a closed chapter. It served as a usable in-browser cryptography option before the modern Web Crypto API was widely available, but that era has passed. The repository stays up so existing users can access the final patched release and understand the history of changes.

prompts (copy fr)

prompt 1
I have an existing app using SJCL for ECDH key exchange. How do I upgrade to version 1.0.9 to fix the vulnerability, and what modern Web Crypto API call should I migrate to afterward?
prompt 2
My app uses SJCL base-32 encoding from before version 1.0.4. How do I decode that old-format data after upgrading to the new encoding alphabet?
prompt 3
What are the modern in-browser alternatives to SJCL for symmetric encryption and key generation? Show a side-by-side comparison using the Web Crypto API.

Frequently asked questions

what is sjcl fr?

A deprecated JavaScript cryptography library originally built at Stanford University for in-browser encryption and key generation, upgrade existing installs to version 1.0.9 to patch a critical ECDH private-key vulnerability, then migrate to a modern alternative.

What language is sjcl written in?

Mainly JavaScript. The stack also includes JavaScript.

How hard is sjcl to set up?

Setup difficulty is rated easy, with roughly 30min to a first successful run.

Who is sjcl for?

Mainly developer.

peek the repo → explain another one

This repo across BitVibe Labs

double-check against the repo, no cap.