From 1ab6ad13c0ac56f3febb9ea09c0030ce7b28cfa3 Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Sat, 11 Jan 2014 15:17:57 +0100
Subject: [PATCH] add security considerations

---
 README.md | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 595b0cf5..7cf1401d 100644
--- a/README.md
+++ b/README.md
@@ -24,15 +24,23 @@ Fetch a minified build under [releases](https://github.com/openpgpjs/openpgpjs/r
 
 OpenPGP.js currently only fully supports browsers that implement `window.crypto.getRandomValues`. If you can help us support more browsers and runtimes, please chip in!
 
-### To build
+### Security recommendations
+
+It should be noted that browser based application, following a [**host-based security**](https://www.schneier.com/blog/archives/2012/08/cryptocat.html) model, provide users with less security than installable apps with auditable static versions. This can be achieved by deploying your HTML5 app as a [Firefox](https://developer.mozilla.org/en-US/Marketplace/Publishing/Packaged_apps) or [Chrome](http://developer.chrome.com/apps/about_apps.html) packaged app. These runtimes typically also enforce a strict [Content Security Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) to protect your users against [XSS](http://en.wikipedia.org/wiki/Cross-site_scripting). 
+
+This [blogpost](http://tonyarcieri.com/whats-wrong-with-webcrypto) explains the trust model of the web quite well.
+
+It is also recommended to set a strong passphrase that protects user's private key on disk.
+
+## Development
+
+You can create your own build in `dist/openpgp.min.js` to use in your project.
 
     npm install && grunt
 
-Then take `dist/openpgp.min.js` to use in your project.
-
 ### Run tests
 
-    npm install && npm test
+    npm test
 
 ### Documentation