[revelation]

This isn't even exactly about JavaScript cryptography. This is the equivalent to building a program to read the TrueCrypt keys out of memory.

The problem here is "the machine doing the cryptography can not be trusted", not "it's JavaScript in a webbrowser", though of course thats also a fundamental problem.

[plaguuuuuu]

The problem actually isn't "the machine doing the cryptography can not be trusted" - the machine is basically you, the user, obviously once you have your files they're on your computer. If you don't trust your computer, what use do you have for files in the first place.

Problem is actually "the computer that sends you code to run on your PC can't be trusted". Big difference..

[fleitz]

While they are the same class of attacks they are fundamentally different in the level of complexity required.

There's no 20 line piece of code that any user can run to get your TrueCrypt key, you're looking at an OS exploit to get kernel access, plus the code to find the key, and/or freezing the computer in liquid nitrogen and then reading the contents of memory directly.

[byroot]

It also mean that any of your Chrome / Firefox extension can access it when you open mega.co.nz