On Sun, Dec 12, 2010 at 20:32, Ted Unangst <ted.unan...@gmail.com> wrote: > On Sun, Dec 12, 2010 at 1:16 PM, Alexander Shulgin > <alex.shul...@gmail.com> wrote: >> I know it might sound funny, but what do you guys think about >> feasibility of massively automatic PGP web mail with all >> encryption/decryption done through javascript in the client's browser? > > At some point you're going to realize that the javascript that > decrypts your mail has to come from someplace.
Ah, valid claim, thanks. This part definitely needs re-thinking :) As far as I understand, SSL can only guarantee you that javascript came from the site you'd expect it come from, but there's nothing that will stop the site admin/hijacker (if any) to alter the script in some clever way. At this point it boils down again to the privately owned server. -- Alex
