diff --git a/README.md b/README.md
index afe92e4..1d25cfe 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ There are several __security concerns__:
 * If the server is compromised: 
   * the stored cipher is useless, but you could manipulate the javascript.
   * if ciphers don't get deleted and the offender gets your mail, your message is disclosed   
-* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L5) the key for the message, if your browsers [Math.random](https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Math/math.random) is compromised, everything is worthless.
+* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L6) the key for the message, if your browsers [Crypto.getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues) is compromised, everything is worthless.
 * Only the transmitted message is encrypted. The receiver is not authenticated. The first one who receives the link, has the message.
 * brutforce all ciphertexts (`for i in {1..99999999999} ; do curl -s -X POST http://msg.exmple.net:8080/writeread --form "storage_key=$1" ; done ;`): a ciphertext is still useless without the cryptographic-key.
 
diff --git a/static/msgsplit.js b/static/msgsplit.js
index c2f7879..8c22982 100644
--- a/static/msgsplit.js
+++ b/static/msgsplit.js
@@ -1,8 +1,16 @@
 // https://github.com/ikcede/JS-One-Time-Pad/blob/master/onetimepad.js
 function generate_cryptographic_key (messageLength) {
     var cryptographic_key = "";
+    var byteArray = new Uint8Array(1);
     for(var i=0; i < messageLength ;i++) {
-        cryptographic_key = cryptographic_key.concat(String.fromCharCode(Math.floor(Math.random()*26) + 65));
+        window.crypto.getRandomValues(byteArray);
+
+        //     move   range start  from 0   to 65, to start at ASCII "A"
+        // and reduce range length from 256 to 26, to end   at ASCII "Z"
+        // 256 / 26 = 9.846153846
+        cryptographic_key_range = 65 + Math.floor( byteArray / 9.846153846 )
+        cryptographic_key = cryptographic_key.concat(String.fromCharCode(cryptographic_key_range));
+
     }
     return cryptographic_key;
 }