Security Informations about Browser Notebook

Private notes through encryption

Browser Notebook uses the Stanford JavaScript Crypto Library (SJCL),
but (unlike the SJCL standard) it uses The text is encrypted with AES in CCM mode (authenticated encryption to protect the integrity of the data).

Never Stores Cleartexts

The text is stored in encrypted form and only on your own device.

Client-side Encryption with JavaScript

There are some security concerns about using JavaScript in the browser for (end-to-end) encryption.

Note: End-to-end encryption only applies here when accessing the Dropbox cloud, as the encrypted text is otherwise not stored on any server.

You can find some articles about this here:

Not all of the objections made there still apply today, and not all of them apply to Browser Notebook because, for example, no content or even keys or passwords are stored server-side. Further objections still apply, so the question arises why client-side encryption at all.

There is one (perhaps only) great advantage for in-browser encryption: Web browsers are familiar to almost all people. There are many good encryption programs, but the problem is, that most of the people do not use them.

In my opinion, the main problems with using encryption in the browser are:
  1. The code can change dynamically, controlled by the server, not the client. Malicious code can be loaded dynamically and verification is almost impossible. Therefore a server can't provide a “Trust No One” service, instead you have to trust the server and/or those who put the code online.
  2. Due to the variety of browsers, the browser environment is questionable when it comes to security. Of course, there are also vulnerabilities in the operating system, but some browsers have a long history of vulnerabilities. You have to trust not only your operating system, but also your browser.

Problem 1 is solved if you use Browser Notebook in offline mode, i.e. download the code and verify the checksum. Regarding problem 2, the best thing to say is: choose your browser carefully.