There is no shortage of opinions on the benefits and limitations of browser crypto, and we are very familiar with both sides of the argument. Like some of our previous answers, this one is going to get technical, so if you aren’t a geek you may want to tap your geek friends on the shoulder for help understanding this answer.
There are typically a few common arguments against browser-based crypto. We’ve done our best to address them and have outlined these below.
Browser’s do not natively support proven cryptographic API’s
Reliance on Server-Based Security and SSL
Many browser-based crypto are often reduced down to the security of the server that hosts the client side code along with the security of SSL. So for example, if the client that does the crypto is hosted on our server, then in theory anyone who compromises our server can alter it and add a backdoor. Likewise, relying only on SSL to ensure the integrity of the client from when it leaves our server to when it gets to your machine could be a problem if someone is able to “middle” or otherwise compromise the security of the SSL connection.
You need to trust the Software Author or Server Operator
The last common threat is not one that comes from the wiley hacker, but from us. At the end of the day, running our signed code is only as trustworthy as we are. At Gotham Digital Science, we made a name for ourselves as a trusted advisor to numerous Fortune 100 companies and other large organizations around the world. Our reputation is something we value deeply, and would not jeopardize. We have made every effort to develop a trustworthy platform for securely sharing files, and will do our best to ensure the security and integrity of the platform. We’ve also made every possible attempt to reduce the amount of trust you need to put in us. Our Java client is not only signed, but its also open-source so you can review the code yourself to keep us honest. We also welcome feedback from the public and security community, on suggestions to improve the way we do things. Our mission is to be as secure and transparent as possible, so that even if you don’t need to trust us...you can.