[y0ghur7_xxx]

The page loads jquery from google cdn, so at least google could inject js in the page and read the message before it gets encrypted.

I know, for a contact form this is very unlikely, but just from a security point of view, if I would write something like this, I would host js loaded by the page on my own server.

[devx]

I've been wondering about web crypto, and how you can actually be protected from say Google getting your content before it's actually encrypted in the browser. Could Chrome's recent "packaged apps" help with that? Maybe if that part of the web app/extension was actually native/offline (but still inside the browser), it would be secure against that. Of course then you have to start wondering whether Google didn't implement a backdoor inside the browser itself...but maybe the fact that Chromium is open source can help there.

[y0ghur7_xxx]

I've been wondering about web crypto, and how you can actually be protected from say Google getting your content before it's actually encrypted in the browser.

Just don't load third party js from a domain you don't own, use tls and you are good.

[joushx]

Yeah, that's a point. Maybe i should really do that...