CTemplar is a recent player in “secure end-to-end encrypted webmail” field.
They claim: «Our mission is to provide an anonymous E2EE (End to End Encrypted) email. No one except you and your recipient can read the contents of your emails, not even us» (archived).
They give instructions about how to “quickly compare the code served to their [the users’] browser, with the code hosted on GitHub within 15-30 seconds” here (archived).
browser-compatibility.js file (among many other files the
index.html sourced) had two integrity checksums.
The checksum of the
browser-compatibility.js file published on github actually matched the first one specified in the integrity attribute for
browser-compatibility.js on the page I got from the server, but I actually could have received the other, unknown and different
browser-compatibility.js that is not published on github and that matches the second checksum (the problem here is that SRI allows to specify more than one checksum for a given file).
What does this all mean?
This means and confirms that Services offering end-to-end encryption through web sites can’t be trusted.