JS crypto — just say no
While Gmail is all HTTPS, and plugins (can) allow relatively sandboxed execution environments, the browser as we know it is simply not the place to handle cryptography. Attack vectors are simply too numerous.
When I refer to the browser 'as we know it', I'm specifically referring to something which silently and continuously auto-updates, changing its code routinely, and bringing out glitzy interesting features as a priority over solid, safe implementations. I don't know exactly how Chrome's plugin sandboxing works now, but even if I did I wouldn't in a month's time.
This product brings in some crucial safety belts not addressed specifically in the article below, but it's a good indication of why most people should be suspicious of front-end based security methods:
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- Analysis Spam and the Byzantine Empire: How Bitcoin tech REALLY works
- VIDEO Herschel Space Observatory spots galaxies merging