From e15c42f29d75e938b4739f88406ca4358481817b Mon Sep 17 00:00:00 2001
From: klml <m@klml.de>
Date: Mon, 16 Aug 2021 10:59:35 +0200
Subject: [PATCH] link where browser generates key

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 44b2747..afe92e4 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ There are several __security concerns__:
 * If the server is compromised: 
   * the stored cipher is useless, but you could manipulate the javascript.
   * if ciphers don't get deleted and the offender gets your mail, your message is disclosed   
-* The browser generates the key for the message, if your browsers [Math.random](https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Math/math.random) is compromised, everything is worthless.
+* The browser [generates](https://github.com/klml/msgsplit/blob/master/static/msgsplit.js#L5) the key for the message, if your browsers [Math.random](https://developer.mozilla.org/de/docs/Web/JavaScript/Reference/Global_Objects/Math/math.random) is compromised, everything is worthless.
 * Only the transmitted message is encrypted. The receiver is not authenticated. The first one who receives the link, has the message.
 * brutforce all ciphertexts (`for i in {1..99999999999} ; do curl -s -X POST http://msg.exmple.net:8080/writeread --form "storage_key=$1" ; done ;`): a ciphertext is still useless without the cryptographic-key.