It uses a 47.6 bit key?<p>Generated by Math.random()? (According to MDN, that's seeded from the current time...)<p>Update: Another problem is that there is no message authentication. The server can flip individual bits within the message.<p>Update: Also, obviously, we have to trust noplaintext.com to send us an uncompromised web page.<p>But wait! View source!<p><script type="text/javascript" async="" src="<a href="https://ssl.google-analytics.com/ga.js></script>" rel="nofollow">https://ssl.google-analytics.com/ga.js></script></a>;<p>We <i>also</i> have to trust Google, specifically google-analytics.com not to steal the message.<p><script type="text/javascript" src="<a href="https://crypto-js.googlecode.com/files/2.5.3-crypto-sha1-hmac-pbkdf2-blockmodes-aes.js></script>" rel="nofollow">https://crypto-js.googlecode.com/files/2.5.3-crypto-sha1-hma...</a>;<p>AHHHHHHHHHHHH!<p>We <i>also</i> have to trust whoever controls the crypto-js project <i>and</i> the people running googlecode.com.
The message you get when running noscript is almost condescending.<p><i>Please enable Javascript to use NoPlaintext.</i><p><i>Javascript is an integral part of modern websites and is very easy to enable.</i>
There was a good discussion on this kind of service a while back--check out "Javascript Cryptography Considered Harmful"<p>HN: <a href="http://news.ycombinator.com/item?id=2935220" rel="nofollow">http://news.ycombinator.com/item?id=2935220</a>
Direct link: <a href="http://www.matasano.com/articles/javascript-cryptography/" rel="nofollow">http://www.matasano.com/articles/javascript-cryptography/</a>
I don't get it. If you're emailing the link anyway, wouldn't someone that intercepts the email have access to the link? Is the point that your recipient opens it before an interceptor does?<p>I'ts also unclear to me how the encryption scheme is working here. I don't see how it's impossible for the server to decrypt the message when it is sending you everything you need to decrypt it when you click the link. Am I missing something?
The problem is I have no assurance that the plain text never reaches the server except for your word for it. It also doesn't solve the problem if the message can be intercepted before the intended recipient can read it.
This is similar to an app I wrote for fun to learn some nodejs, <a href="http://www.selinked.com" rel="nofollow">http://www.selinked.com</a>. I <i>think</i> it's pretty secure but I am no encryption expert. Main difference is that I store nothing but the encrypted messages and for the chat and group chat nothing at all. You can also change the type of encryption it uses, all js browser side. Group chat and chat are half baked, there are a still few bugs in there. Would love some feedback on it.
It's quite similar what I made just for fun: <a href="https://off-the-record.appspot.com/" rel="nofollow">https://off-the-record.appspot.com/</a> Of course I could add javascript AES encryption, maybe I'll do it. I have also planned to use Raspberry Pi as server instead of Google's servers.
Similar to <a href="https://privnote.com" rel="nofollow">https://privnote.com</a>, but slightly quicker to use. It would be neat to have an API-service like this, that could be useful for building messaging plugins.
I can just imagine receiving a link like this while I'm on a spotty WLAN, trying to load it, it not loading properly, refreshing, and having it be "expired".