"a strong passphrase that only they know, combined with a second authentication token provided by SMS, will give a security level that is stronger than even using Truecrypt on your local drive - after all, truecrypt is vulnerable to keylogging software"
This would still allow a government to cease your assets, because there is nothing stopping the passphrase being logged by the site itself, under legal pressure.
Client --> Server
SSL
^
|
Log passphrase after SSL
For an advanced user, I don't see how it adds anything. Here is all the cash I own, nice kind stranger, please protect it for me. No thanks.
(The real problem is that most of the people on this forum are not your target audience, but we are good people to point out flaws. Please don't take offense at any reply.)
This would still allow a government to cease your assets, because there is nothing stopping the passphrase being logged by the site itself, under legal pressure.
Client --> Server
SSL
^
|
Log passphrase after SSL
For an advanced user, I don't see how it adds anything. Here is all the cash I own, nice kind stranger, please protect it for me. No thanks.
(The real problem is that most of the people on this forum are not your target audience, but we are good people to point out flaws. Please don't take offense at any reply.)
None taken. This is why I wanted to discuss the idea first before implementing it, to let you guys poke holes in it and see if it's a worthy project. For the advanced option, what if we took the same approach that Hushmail uses, where encryption is done in either client side javascript or a full java/flash app (although I dislike having to run plugins just to access your wallet)? That would probably be a better option for the truly paranoid (which I admit I am one myself)...
