Quote from: Guru on August 07, 2012, 07:32 amFor the customer, though, this is a different matter. What Hush did was something like the following -- it had TWO versions of their Java applet. The regular version was supplied to the ordinary customers. There was a second version, that was modified so as to capture the users' PGP passphrase, and pass it along to Hush. This applet was sent to customers who were named in a warrant or other court document. From Hush's perspective this system worked marvelously well -- it allowed ordinary customers to go about their business as usual, while totally compromising the security of those customers named in a warrant or other court documents. With the customers' private keys, and passphrase, Hush was able to decrypt all the customers' email. Even if the customer tried to delete all their emails, once read, Hush merely kept copies for later decryption. GuruPrivnote will be getting up to similar trickery, if it hasn't done so already.Example: Mandate that Privnote store ip addreses of all customers who use the Tor Network via an exploit. Then infiltrate SR and find all transactional information that was plaintext or privnote. The first group are screwed anyway. In the case of the second, it's slightly more work, where you would lie like a spider in wait for past privnote users, a passive adversary. Then when an example of privnote use occurs, you know the ip address of the user and can use LE Malware like CIPAV to record all their keystrokes in future.Actually, there are probably easier ways, but that's one. The point is that using Tor without Javascript enabled is dangerous if you're being directed to specific webpages that only you could know the URL of which are under the control of the adversary, and that you should use PGP.LE are not going to try and break the Tor Network or PGP because they are not that stupid and also nowhere near that smart enough by themselves. So they will try sidechannel attacks such as Guru described.It might sound complicated, but it is not, you just learn to use PGP and don't go to dodgy sites like privnote to allow them to run scripts. That's 10-20 minutes work and 1 click for every SR user, max.