[tptacek]

What's the point of this? The server that feeds the Javascript that generates the PGP keys and any server that feeds the Javascript code that performs PGP operations can read arbitrary messages. Why bother with the rubber chicken crypto? Just have users send you plaintext messages over SSL and be honest about it.

[mballantyne]

The server can only read arbitrary messages if it changes the runtime that it serves. If it were to serve the wrong runtime to more than a narrowly targeted set of users, it could be detected (by, say, a third party running an automated script to check for changes in the served files).

This also means that targets of interest would have to be identified at time of their use of the service (so as to avoid detection as above) by something other than the content they're sending, whereas a malicious service receiving the plaintext could search through all received plaintext for interesting content without detection.

It would make an attacker expend effort and risk per-target. In a world of mass data collection, that seems valuable for those who aren't targets of particular interest but want to avoid the dragnet.

[tptacek]

The DOJ didn't want everyone's mail at Lavabit. It wanted Snowden's mail. The DOJ will feed malicious JS to its targets, and innocuous JS to everyone else.

[mballantyne]

Yep. They would. Snowden should be using PGP on an air-gapped machine inside a faraday cage, right? This isn't for him. This is for the rest of us that are at most mildly interesting but don't want to give in to the surveillance state, or just want to send a password without blindly and completely trusting at least one third party. Isn't such a mid-security but easy to use solution valuable? The more PGP-armored messages there are (even if they could be broken with effort), the less suspicious any such use of crypto can be considered.

[tptacek]

There is virtually no correlation between the people who need to have their secrets protected from hostile governments and the people who are savvy enough not to use applications that make security promises they can't keep.

[mballantyne]

The security promise is simply "this is better than plaintext email, which is what you'd use otherwise."

I'd rather have as much of my communication as possible protected from mass collection by my own government regardless of it's sensitivity.

Edit: Misunderstood your phrasing a little. Yes, ideally we would provide non-savvy users with trivially easy to use encryption strong enough to defeat hostile governments. I haven't seen it yet. I make no pretense of overpromising - I'd certainly expect a service such as I'm describing to prominently note that it shouldn't be used for material above a certain sensitivity and link to info on better options.