If a user doesn't trust Dropbox, why would they trust passwordprotectmyfile.com?

I know it claims the file doesn't leave your computer, and that might be true right now, but in five minutes if I visit the page the code could have changed. And it would hardly be user-friendly to ask users to check the minified javascript before using it.

Should really highlight the fact that it could be self-hosted [0]. Typing a password and uploading a sensitive file is never a good idea.

[0] https://github.com/louissobel/ppmf

As soon as my file is readable by javascript it could be sent anywhere by your code. I'm not saying you do, but it could. Therefore this adds an unnecessary risk. I would have to disconnect my machine from the network and clear all the browser storage before reconnecting to even begin to think this was safe.

Just to be clear: I'm not saying it's useless, just that if the file I was encrypting was so important that I needed to encrypt it, doing it in a sandbox that is directly connected to an untrusted third-party wouldn't be a very bright move.

I really like this. Especially the self-contained html file you send around afterwards.

You should recommend people to download the html and then save it instead of using the page itself. Maybe make a big download button. Also, remove google analytics from the self-contained version, that way the page should never download/upload anything from the network.

It's the same as using openssl aes-256-cbc -in plaintext -out ciphertext That's as easy and convenient as it can get for me. But it might be helpful if I have to send an encrypted file to someone not able to use openssl or gpg. It's pretty cool to combine an encrypted file with the tools needed to decrypt it :)

How is this better than symmetric encryption with GnuPG?