Hacker News new | ask | show | jobs
by e12e 1071 days ago
But you distribute the js that accepts the passphrase - so you could trivially exfiltrate the password - and so access the private key.

"Don't have access" is a little too strongly worded IMNHO.

(I understand the reasoning - and I don't necessarily think it's bad - I just think it overpromises a bit)
2 comments
twiss 1071 days ago
Sure, fair enough. I've edited it to "the server doesn't have access". Also, see https://news.ycombinator.com/item?id=36643922.
link
cuteboy19 1069 days ago
The app ultimately shows you your decrypted email. If client side code is compromised then I don't think this is the thing you worry about
link
e12e 1069 days ago
Sending signed and encrypted emails is worse than just reading.
link