add security considerations

2014-01-11 15:17:57 +01:00 · 2014-01-11 15:17:57 +01:00 · 1ab6ad13c0
commit 1ab6ad13c0
parent 0dadbff695
1 changed files with 12 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -24,15 +24,23 @@ Fetch a minified build under [releases](https://github.com/openpgpjs/openpgpjs/r

 OpenPGP.js currently only fully supports browsers that implement `window.crypto.getRandomValues`. If you can help us support more browsers and runtimes, please chip in!

-### To build
+### Security recommendations
+
+It should be noted that browser based application, following a [**host-based security**](https://www.schneier.com/blog/archives/2012/08/cryptocat.html) model, provide users with less security than installable apps with auditable static versions. This can be achieved by deploying your HTML5 app as a [Firefox](https://developer.mozilla.org/en-US/Marketplace/Publishing/Packaged_apps) or [Chrome](http://developer.chrome.com/apps/about_apps.html) packaged app. These runtimes typically also enforce a strict [Content Security Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) to protect your users against [XSS](http://en.wikipedia.org/wiki/Cross-site_scripting). 
+
+This [blogpost](http://tonyarcieri.com/whats-wrong-with-webcrypto) explains the trust model of the web quite well.
+
+It is also recommended to set a strong passphrase that protects user's private key on disk.
+
+## Development
+
+You can create your own build in `dist/openpgp.min.js` to use in your project.

    npm install && grunt

-Then take `dist/openpgp.min.js` to use in your project.
-
 ### Run tests

-    npm install && npm test
+    npm test

 ### Documentation