[raphinou]

I once started developing such a tool, but abandoned it when I understood the web browser is not a safe environment.

You can't trust the javascript you execute: http://www.matasano.com/articles/javascript-cryptography/

For another example, imagine a security breach on the server, some malicious javascript code injected server side, and your passwords get leaked, without you noticing.

If you think that you don't have to use SSL because you encrypt client side, think again. Without SSL a simple proxy can inject javascript in the page and get all your passwords.

The best solution I think, which I haven't had the time to implement yet, is a native app, retrieving only encrypted and signed data from the server.

[TomasSedovic]

They seem to be using TLS, but yeah the users have to trust Google (which hosts their jQuery js), Mozilla (which hosts their Persona js) and of course the admins of yithlibrary.herokuapp.com itself.

If any of these gets compromised, the crackers would be able to retrieve the master password of any user entering it afterwards.

[darklajid]

Wouldn't it be possible to host it on your own server, including the 3rd party files?

And wouldn't TLS in this case protect the full session?

You still have to trust the source, but - it's on your machine. Go read it if you want?

[TomasSedovic]

It would and they should do it. But the whole thing would still be fundamentally insecure. Read the link submitted by raphinou:

http://www.matasano.com/articles/javascript-cryptography/