Why can't I use TLS/SSL to deliver the Javascript crypto code?
You can. It's harder than it sounds, but you safely transmit Javascript crypto to a browser using SSL. The problem is, having established a secure channel with SSL, you no longer need Javascript cryptography; you have "real" cryptography.
So, you can deliver the JS to the browser securely!
If you have a secured channel to the server (e.g. SSL), then you can just trust the server to encrypt on that end.
It doesn't matter if you are running server-trusted JS crypto in your browser, or server-encrypted data. Either way, the server is dictating the code/algorithms in use, and could backdoor/subvert the encryption.
This project addresses a different problem. One where you want to have multiple people reading a message at anytime in the future without the need for end to end communication in real time.
Right. Matasano is pointing out that securing communications with JS is basically doomed. But they admit that if you can secure the transmission of the entire contents of the page (HTML, JS, everything), then your JS crypto should be OK. They just can't think of a reason to do that, which obviously you have. :)
edit: sneak points out that you have Google Analytics loading on that page, so your data could be compromised that way - theoretically :)
Only for that point-in-time. Nothing stopping it from serving backdoored JS _just to your IP_, or _just for five minutes that one time_. Dynamic web app, remember? :)
I like the simplicity, but I think you will want to put up some concrete examples on the homepage of what this could be used for. Also I don't think you should put those on a separate page-- they need to be on the homepage so that you engage attention and interest right away.
After a user has seen the message and navigates to another site, anyone can use the back button to see the unmasked message. I like it though - maybe you can turn it into something that allows you to pass notes to coworkers at work?
Another alpha using Twitter's Bootstrap without a clear description on what it does isn't too exciting. I wish people spent a little more time polishing ideas before posting on HN.
In your blog post, the period got typo'd into the https: link. While it's not difficult to fix, others might not catch that at first and think that something has gone awry.
It is a secure way to post messages. Anyone can see the posting (which is encrypted) but only someone with the password can actually read the plain text message. The password should be transmitted outside the scope of the site.
That is known and outside the scope of the project. So, the idea would be to post a message that one or more people who know the predetermined password could read in a central location.
http://www.matasano.com/articles/javascript-cryptography/
(The OP's page has third-party javascript loading onto it (Google Analytics).)