Hi, there is an episode from Hak5 that claims to show a security vulnerability of OpenPGP.js: https://www.youtube.com/watch?v=NnHOYSRrqS4
As an example they demonstrate an "exploit" and extract private keys from a Mailvelope and MyMail-Crypt installation. Basically they own the machine first and then read in the localStorage SQL file where OpenPGP.js stores the keys in clear text. My points on this: - OpenPGP.js is not meant to be for hostile environments - This is true for other PGP implementations as well. Take GPG: if you own the machine you can also do a "gpg --export-secret-key -a" and get all the keys - There is a speculation in the episode about a possible attack on the localStorage from other addons or external websites. This boils down to the never ending discussion if the browser is a suitable platform for crypto or not. - It would be good to have a more modular persistence layer in OpenPGP.js to enable applications to implement their own secure storage. Any thoughts? Thanks, Thomas
_______________________________________________ http://openpgpjs.org
