Hi, The case with Hushmail is entirely different because Hushmail generates > (stores, and backdoors) keys on the server. It's far harder to backdoor > JavaScript compared to compiled Java Applets without notice. >
Here's a current blogpost by Jon Matonis (former CEO of Hushmail) explaining the JS delivery issue: http://www.forbes.com/sites/jonmatonis/2012/07/30/cryptocat-increases-security-in-move-away-from-javascript-encryption/ > I agree with what you're saying though. My intentions are to convert the > finished Roundcube JS plugin to browser extensions. Roundcube is an > installable IMAP application. It's not an "app" though, but the same code > can be reused pretty easily. Someone mentioned that OpenPGP.js was > complicated in this thread, providing implementations is a way to counter > that :-) > 1.) You may have misunderstood. I said "PGP" (as in the email encryption method) is difficult to use for an average user. Not "OpenPGP.js" (the javascript library). 2.) As far as I understood, Roundcube has to be installed on a LAMPP stack on a linux server, since the IMAP client is implemented in PHP on the server side. Thats a totally different use case. > "The app is installed only once" <- nope. Bugs and updates will always > exist and any security procedure that is based on something else is, in my > opinion, broken by design. There are far better end-to-end encryption > solutions that can be used instead of HTTPS to patch the fictional scenario > where HTTPS gets hijacked. Tor, for example. :-) > Of course there will be patches and updates. When I say "installed only once", I'm talking about a certain version of the application. In contrast, when you open a webpage, you're downloading the same version of the application multiple times. You always have to trust the network at least once (when you download your browser). But in the case of the installable application, your chrome browser can check the signature of the installation package and confirm that the package has not been tampered with. Tankred
_______________________________________________ http://openpgpjs.org
