So the app is basically using OpenPGP.js to generate a key and store it in local storage, and then… another JS class to write to a TCP socket. All of that gets wrapped in PhoneGap.
Everything is beta-walled, and none of their website gives any hints about some of the nastier technical issues that will be encountered: securely delivering JS extensions, key retention (local storage XSS attacks mean your private key is stolen? cross-device keys?). how they’re going to make the web of trust work for everyone (seriously this is why no one you know uses PGP).
And at the end of the day it’s just webmail + PGP, so metadata attacks are still simple.
So the app is basically using OpenPGP.js to generate a key and store it in local storage, and then… another JS class to write to a TCP socket. All of that gets wrapped in PhoneGap.
Everything is beta-walled, and none of their website gives any hints about some of the nastier technical issues that will be encountered: securely delivering JS extensions, key retention (local storage XSS attacks mean your private key is stolen? cross-device keys?). how they’re going to make the web of trust work for everyone (seriously this is why no one you know uses PGP).
And at the end of the day it’s just webmail + PGP, so metadata attacks are still simple.
I’m interested but nervous.