I was trying this javascript implementation of RFC2928 (Password based key derivation function 2) http://anandam.name/pbkdf2/ . It heavily uses this SHA1 implementation (http://pajhome.org.uk/crypt/md5/sha1src.html). Suffices to say that it relies heavily on bitwise ops. Firefox performed the PBKDF about more than 10 times faster than Safari. On #webkit, someone said: "I think the core difference is that we always store numbers as floating point, which means bit operations have to go from float -> int32 -> float". So that might be the main reason why the code runs slowly...
FWIW, TOT WebKit (I used a nightly) is basically on par with Firefox, it's only the shipping version that's so slow.
Thats not what I'm seeing. My very rough measurements show Camino 1.5 and Firefox 2 as being 2xs faster than a recent TOT build. It's definitely an improvement from shipping Safari, but it's not close to Firefox that I can see. For reference, I tested with the string 'WEBKITRULZ' as both password and salt.
I tested with password "123456" and salt "4", and both Firefox 2.0.4 and a WebKit nightly finished in ~7 seconds (hand-measured) on an Intel iMac.
My testing on a ToT-ish build (manual timing) shows 2.3s in ToT vs. 4.5s in FFX2, i think we can close this bug.
Verify this is fixed in a nightly