Client-side Encryption with JavaScript
There are some security concerns about using JavaScript in the browser for (end-to-end) encryption.
Note: End-to-end encryption only applies here when accessing the Dropbox cloud, as the encrypted text is otherwise not stored on any server.
You can find some articles about this here:- Nate Lawson: Final post on Javascript crypto (2010)
- Tony Arcieri: What’s wrong with in-browser cryptography? (2013)
- Lúcás Meier: End-to-End Encryption in Web Apps (2021)
Not all of the objections made there still apply today, and not all of them apply to Browser Notebook because, for example, no content or even keys or passwords are stored server-side. Further objections still apply, so the question arises why client-side encryption at all.
There is one (perhaps only) great advantage for in-browser encryption: Web browsers are familiar to almost all people. There are many good encryption programs, but the problem is, that most of the people do not use them.
In my opinion, the main problems with using encryption in the browser are:- The code can change dynamically, controlled by the server, not the client. Malicious code can be loaded dynamically and verification is almost impossible. Therefore a server can't provide a “Trust No One” service, instead you have to trust the server and/or those who put the code online.
- Due to the variety of browsers, the browser environment is questionable when it comes to security. Of course, there are also vulnerabilities in the operating system, but some browsers have a long history of vulnerabilities. You have to trust not only your operating system, but also your browser.
Problem 1 is solved if you use Browser Notebook in offline mode, i.e. download the code and verify the checksum. Regarding problem 2, the best thing to say is: choose your browser carefully.