[divtxt]

The real short answer seems to be: encryption is done client-side by Javascript.

I'd worry about the extra attack vectors because of that - man in the middle, snooping browser extensions, etc (or even just strong-arming them into silently changing their javascript do no encryption)

To his credit, he writes about this as well:

> On a trust scale, is it better to use PGP or PrivateSky if you want to be 100% sure that no one can see your data? Answer: There is no question that [...] a system such as PGP is better [...]

> There is only one problem. PGP and the current state of the art are too damn hard for the general population at large to use. [...]

[Splines]

> There is only one problem. PGP and the current state of the art are too damn hard for the general population at large to use. [...]

I use enigmail + thunderbird, and it's pretty simple to use. It's only difficult because the tools are immature. Sending a mail and seeing a "verified from foo@bar.com", or "can only be viewed by foo@bar.com" isn't difficult to understand.

The smartphone vendors are in a unique position where they could make this happen.

[ef4]

The thing is, doing it correctly still actually requires quite a bit of understanding.

The hard part has always been key management. If a user doesn't have a properly managed web of trust, they have no real assurance of privacy or authenticity.

I think the people who are actually in a position to fix this problem are the social networks. Imagine if the act of joining Facebook caused a keypair to be generated by you, and friending someone brought their key into your web of trust with some sensible defaults.

Unfortunately Facebook has no incentive to build such a thing. But maybe something third party can leverage all those social connections to help users manage keys in a more natural way.