JS crypto goto fail?

tldr; A long, passionate discussion about JS crypto. Use slides for an overview.

Javascript cryptography is on the rise. What used to be a rich source of vulnerabilities and regarded as "not a serious research area", suddenly becomes used by many. Over the last few years, there was a serious effort to develop libraries implementing cryptographic primitives and protocols in JS. So now we have at least:

• SJCL - some crypto primitives
• Forge - a TLS implementation
• OpenPGP.js - OpenPGP implementation
• End-To-End - OpenPGP + other crypto primitives

On top of that, there's a lot of fresh, new user-facing applications (Whiteout.IO, Keybase.io, miniLock to name just the fancy ones on .io domains).  JS crypto is used in websites, browser extensions, and server side-applications - whether we like it or not. It is time to look again at the challenges and limits of crunching secret numbers in Javascript.