[exec]

Not using HTTPS is a critical mistake. Adversary can just do MITM attack and send modified code to the user's browser to steal passwords.

It's not best idea to share sensitive documents without using HTTPS.

[bascule]

Confirm. This system was obviously designed by people who had no idea what they were doing, which is about the last thing you want in a cryptosystem. Failing to authenticate the JS cryptographic code (TLS would've helped here) makes this system effectively worthless and simple to MitM.

A good read on the matter is Matasano's JavaScript Cryptography Considered Harmful: http://www.matasano.com/articles/javascript-cryptography/

[STRML]

I wasn't aware of the MITM issues, thank you for letting me know. I'm working on setting up a cert as we speak.

[STRML]

HTTPS is now enabled on the site. Thanks for letting me know.

Just curious, do you see any other red flags in the system?