[liberationtech] pgp message encryption and decrypion using just a browser

[Steve Weis]

Hi Frank. How would you trust the Javascript that decrypts the
message? You would need to give that code your secret key, so must
trust it completely.

That Javascript code would be hosted on a third-party site that could
be malicious, compromised, or incompetent. You could audit the code,
but the site could silently change the it any time in the future.
Signing it doesn't help unless you already have some trusted code to
verify the signature. You could hypothetically save a local trusted
version of the Javascript and run it, but at that point you might as
well just use GPG.

I think using client-side Javascript for crypto is generally a bad
idea. I've only seen one case where it made sense, which was to
offload public-key operations onto clients. That was strictly for
performance reasons and did not increase the risk above what the site
was already doing.

On Sun, Sep 26, 2010 at 12:45 AM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> ... I was and I still
> am keen to to identify an online, akin to hanewin's, but one that can
> equally Decrypt a text based pgp message. Of course creating encryption
> keys does require software in addition to a web browser. But I still do
> think it would been very helpful to many to be able to access an online
> resource for the sending and reading of pgp messages, without the need
> of additional software and one that can be used off-line and downloaded
> locally or kept on a usb stick for greater portability.