Thanks, and that is absolutely true. That's why it's open source: I want people to host their own version if they don't trust me https://github.com/alainmeier/cryptonote
But if you need to trust the server (and you do), then the client-side encryption is 100% pointless. You might as well encrypt on the server with safe, sane, battle-hardened code.
At the end of the day, XSS, rogue hosts, etc can own this even if the person "running the show" doesn't want it to happen.
At the end of the day, XSS, rogue hosts, etc can own this even if the person "running the show" doesn't want it to happen.
Edit: I note that you now link to nadim's response to http://www.matasano.com/articles/javascript-cryptography...; -- you reaaaaally should consider linking to the original, or perhaps to https://news.ycombinator.com/item?id=5768837 wherein that article is torn to shreds. JS cryptography is very, very dangerous.