Overall, I maintain that the criticism is justified, but the most serious criticisms do not apply to Browser Notebook, at least not to the offline version. Further objections still apply, so the question arises why client-side encryption at all.
There is one (perhaps only) great advantage for in-browser encryption: Web browsers are familiar to almost all people. There are many good encryption programs, but the problem is, that most of the people do not use them. Even relatively easy-to-use extensions like Enigmail for Thunderbird represent a very high hurdle for many people.
Browser is low-assurance environment(Nate Lawson)
Side channel resistance is much more difficult if not impossible.(Nate Lawson)
Too many platforms — IE, Firefox, Netscape, Opera, WebKit, Konqueror, and all versions of each. Crypto code tends to fail catastrophically in the face of platform bugs.(Nate Lawson)
- (I don't think, the poor PRNG is an objection since SJCL strengthened version, although /dev/urandom is of course better.)
- The code can change dynamically, controlled by the server, not the client. Malicious code can be loaded dynamically and any audit is impossible. Therefore a server can't provide a “Trust No One” service, instead you have to trust the server operators and can't check it.
- Nate Lawson wrote: