[pcwalton]

> JS doesn't have a concept of "here have a variable with data inside of it but you cannot touch it".

Actually, it does: closures (and WeakMap in ES6 has similar properties). They're pretty foolproof for information hiding, if used properly. (But this is irrelevant to tptacek's point about the security of crypto in JS, of course.)

[IgorPartola]

I don't think this is what the grandparent is envisioning. Also closures are great until you are able to replace the code that produces them, or read straight from the DOM at the place where you mail client is displaying the decrypted data.