Quote from: DaMan on August 17, 2012, 10:32 amI don't disagree that privnote is a shitty way to keep track of conversations, but back on the code, here it is:https://privnote.com/static-1741/js/pack.jsyou can check it... no backdoors there as far as I can tell.I don't think you must be familiar with how the Hushmail exploit worked. Guru has a good description of the process if you search his posts. Actually here it is quoted in full:Quote from: Guru on August 14, 2012, 03:26 amThose comments you quoted above from the SR Wiki remind me of noting so much as some of the comments with respect to security, made by Hushmail, reproduced below. Just in case you were not aware, Hushmail is a so-called privacy-oriented email service with its HQ located in Vancouver, BC, Canada. QuoteHushmail's FAQ, archived at the Internet Wayback Machine as of February 15, 2001http://web.archive.org/web/20010215014607/http://www.hushmail.com/about_hushmail/faq/#gq3334. Does HushMail have a "back door" that can be accessed by government agencies?No. Email, which includes attachments, sent between Hush users is completely encrypted.35. What if my message is subpoenaed?Hush will answer valid, court-issued subpoenas. However, if the mail is fully encrypted, the subpoenaed version will not resemble the original text version. On or about April 3, 2002, Hush revised their FAQ to make their claims even more explicit: Quotehttp://web.archive.org/web/20020403213419/http://www.hushmail.com/about_hushmail/faq/#messagesubponaedDoes HushMail have a "back door" that can be accessed by government agencies?No. Email, which includes attachments, sent between Hush users is completely encrypted.What if my message is subpoenaed?Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even Hush can access the encryption keys of individual users, in the case of a subpoena Hush would only be able to provide the encrypted (coded) version of the transmitted email.So, as you can see the claims Hush were making were pretty damn specific, even explicit. They damn-near guaranteed their users that, if the government came a-callin', the WORST that could happen would be that the Feds would get their hands on securely-encrypted emails. Needless to say, that isn't what happened, not by a longshot. Far from turning over encrypted emails, Hushmail turned over to the DEA in excess of 100,000 DECRYPTED emails on an unspecified number of customers. Users flocked to Hushmail based on several factors: 1) Hush promised security. After all, Hush was located in Canada, and moreover, boasted servers in such faraway places as Ireland and Anguilla (known as a tax haven.) People thought these overseas server locations put Hush's servers out of the reach of the long arm of the American authorities. 2) Hush benefitted from the enormous goodwill attached to the PGP brand, not to mention its reputation for robust security. In addition, they also had Phil Zimmermann's endorsement (Phil is the original PGP developer.) 3) Finally, perhaps the trump card in Hush's deck, was the fact that their system boasted unsurpassed ease-of-use. To use Hushmail, you didn't NEED to know ANYTHING about encryption in general, or PGP in particular. The system transparently encrypted (and decrypted) email sent from one Hush user to another. From the users' perspective, it was secure, it was easy to use, and it didn't cost an arm and a leg to subscribe. Is it any wonder that, given all these advantages, that American illegal steroid manufacturers/traffickers, not to mention their Chinese bulk steroid powder suppliers, made Hushmail their email provider of choice? What none of these people realized was that Hush was breaking one of the cardinal rules of public key encryption -- that is, the separation of public and private key-pairs. As their system was setup, Hush stored both the public and private halves of the PGP keypair for you. Hush touted the fact that your private key was protected by your passphrase, and that without your passphrase, your email was secure. Well that turned out not to be. Hush used a Java applet to carry out both encryption and decryption on the user's machine. Hush already had both halves of the users' PGP key-pairs; all they needed to totally compromise the users' security was their passphrase. Every time you login to a Hushmail account, you get a message to the effect that a copy of the Hush Java applet is being downloaded, and that this may take up to 3 minutes. Regular users, that is users not named in a subpoena, got the regular Java applet, and remained secure. Users named in a subpoena, got a poisoned Java applet modified so as to capture the user's passphrase and convey it along to Hush. With the user's passphrase, and the private half of their PGP key, it was a trivial matter to decrypt all their email. A DEA spokesman actually boasted to an American media outlet that the DEA had obtained in excess of 100,000 decrypted emails. To the best of my understanding, prosecutions arising from Operation Raw Deal in 2007 were still proceeding as late as 2011. If you learn nothing else from this, please remember that promises made by third parties are, for the most part, meaningless, worthless,even. You need to take your security into your own hands. That is why PGP is _so_ important. A great many people trusted Hushmail and got burned as a result. What happened is that 'persons of interest' were given different code to everybody else. This is how LE managed to obtain the passphrases of their suspects.Similarly with Privnote , just because that JavaScript does 1 thing now, does not mean it won't do something else in future for specific users.There *are* exploits using JavaScript which can deanonymize you on the Tor network. Just because you cannot access the hard drive using JavaScript alone, does not mean it is a non-issue. Seeing as requests from exit Tor nodes are trivial to spot, that makes a possible exploit from Privnote something to be taken seriously.Finally, just because we may not work out how precisely this exploit is to take place (for all we know, it already has been used), does not mean we should stick up for anybody using that service.In my eyes, anybody using Privnote is a potential LE agent until shown otherwise. Secondly, anybody using Privnote, even if they are not a LE agent, must have a single digit intelligence quotient, and so you shouldn't do business with them anyway.Thirdly, anybody suggesting Privnote may be an appropriate idea for *anybody* is somebody with a highly suspicious suggestion, so to be perfectly forthright that includes yourself.Hushmail was known to be insecure and suspect long before factual evidence arrived. In the black market, you rely on your intuition as much as your logic, people who don't get cocky, overconfidently believing they're criminal supergeniuses, and those people should be avoided like the fucking plague.