I really wish there weren't two popular projects that were abbreviated to NaCl.

For others, this is a port of the "salt" NaCl crypto library, and has nothing to do with Native Client.

The dangers of JS crypto in the browser are well trodden (anybody who can snoop the connection can probably replace the JS, for example), but the rise of JS-based client apps (through node-webkit et al) make this a bit more meaningful.

Afaik NaCl from DBJ et al. isn't actively maintained, by them, as an ongoing project. It hasn't been updated since early 2011. libsodium is where it's at now. Going forward, I wouldn't expect TweetNaCl to be either so there's not much of a naming collision.

Yes, I was initially excited expecting to see something awesome for Google NaCl, but it turned out to be yet another script written in a legacy language... Well, he did add .js to the name though.

What exactly are you referring to with "legacy language"? Could you elaborate?

I'm pretty sure it was just snark at Javascript/ECMAscript.

IMO it's pretty hard to justify calling it a legacy language when there are 4 major JS JIT engines actively competing for performance, and a pretty thriving developer ecosystem. It's about as young as Ruby, and younger than Python and Haskell.

thank you for clarifying.

Sometimes these name collisions don't matter because the projects are from two separate groups of software, but in this case, the overlap in 'client facing web apps' makes NaCl downright confusing without clarification.

Javascript is also a supported target for libsodium, through Emscripten. The Javascript file size (minified/gzipped, with most operations including password hashing using scrypt) is 136K.

TweetNaCl.js doesn't have the same features set, but it is tiny, has been written in Javascript, is easy to use, well-documented, and well-maintained.

This is what Minilock uses. It is a perfect fit for this kind of applications.

I've actually been looking for a small crypto library for javascript, I'm in the process of building a desktop cross-platform app using node-webkit, and this seems quite interesting!

We ended up using tweetnacl for Stellar after switching to Ed25519. We forked it to implement generating keys from a seed.

https://github.com/stellar/tweetnacl-js/commit/063e072

Nice! I've added nacl.sign.keyPair.fromSeed in v0.11.0, though I see that I didn't define seedLength. Will do!

The goal of TweetNaCl is to make an auditable crypto library, and this is a JavaScript port of the original C library.

Its goal is not to offer every cipher or algorthim, but its small size allows it to be easily included in unhosted apps like miniLock.

How does this differ from the other javascript NaCl implementations?

https://www.npmjs.org/search?q=nacl

It's a port of TweetNaCl (http://tweetnacl.cr.yp.to), which goal is to be tiny and auditable. If you compare C and JS implementations side-by-side, they look very similar (which was the major goal of this port).

For one the fact that (the author of NaCL) Daniel Bernstein is backing it.

DJB wrote the original tweetnacl.c, from which this JavaScript implementation is derived. He doesn't have anything to do with the port.

You guys are right of course; I was looking at the C version.

I really doubt that, where does it say so? AFAIK, he supported the TweetNaCl in C. That does not mean anything concerning this port.