facebook.com + encryption + anonymity = devicecode.net? is it secure?

i am new in the it security. so maybe some expert can help me.

i used for a while enigmail (http://enigmail.mozdev.org/home/index.php). it's a gpg plugin for thunderbird. but i hate this key-ring management. most of the public-keys become out of date, and i switch to hushmail.com - a crappy and ugly webmail solution with email encryption. i am idiot - i used it over two months and then i read this article http://en.wikipedia.org/wiki/Hushmail - they have backdoors in their encryption and worked with the feds.

now i test device code (http://www.devicecode.net/). it's a kind of social network, but only with the basic features - contacts and profile management. But the real feature is the messaging encryption - they used a javascirpt encryption library (with rsa, aes and stuff) and encrypt your messages end-2-end. it's a mixture of facebook.com and hushmail.com. short: facebook.com - girls - pictures (you cannot upload a picture of you??)+ ugly design (colors?)+ encryption + anonymity + ajax + javascript rsa 1024 bit key-generation (crazy and super slow :/ - works only good with chrome!).
i try to debug the library with firebug to find a security issue (http://www.devicecode.net/about.php?topic=security), or just a chance to leak some information, but my javascript skills are too low. I cannot find any information about this service.

Have someone of you use it? If you look inside, there are only some people - but at irc i hear, that some warez groups use it for their communication. Is it really possible to encrypt SECURE with Javascript (i don't mean Vigenere/i talk about RSA)? Is there a way with XSS?

Why try to debug it?................ just look at their privacy policy:

Quote:

---

We are commited to collaboration with authorities, especially prosecuting authorities and courts and can in this context be forced to pass on personal data.

---

Whilst I have never looked at the issue in depth I have always had a suspicion about these "one stop shop" encryption and delivery services. At the very least you must implicitly trust the provider? Pretty similar to anonymous proxy services IMO.

The most secure system I would imagine to be independently encrypting the message yourself before sending it. At least you wouldn't have to worry about backdoors.

Having said that, if the content is really sensitive, you shouldn't be using the internet anyway.;)

Quote:

---

The most secure system I would imagine to be independently encrypting the message yourself before sending it. At least you wouldn't have to worry about backdoors.

---

word. but this is the point: the message you send are encrypting in YOUR BROWSER, before it send per ajax to the service.

Yes but using their format/methodology or whatever. If you used something like 256 or 512 bit AES from an independent source, and then fire it off, it wouldn't really matter if the transporting layer had a backdoor? It would take an unreasonable amount of time to break the core encryption?

http://www.facebook.com/apps/applica...?id=7923770364

Sheeps... do a traceroute to hushmail or even facebook. Who and what are all those servers? Why would anyone in the first place go to a Free website to publish their public key where your hostname is recorded along with the Mac Address? Why fall for the Verisign scam sceme where they can snitch out encrypted communi from your victims traced back to you. Use your own encryption, store your keys local but encrypted, and install your own email server. That way you can monitor _back_ on who is snooping on you. Java is not your friend... you do not know the programmer or the complete sceme of things. Do your dirt in the streets.

or create a ftp or web service.....place a picture bug in your email that when it is open will goto your server where you can log their ip, the time they viewed and what program they used. If you write to 1 person but the trap was baited 7 times with 6 different locations, something is wrong