"If my experience serves any purpose, it is to illustrate what most already know: our courts must not be allowed to consider matters of great importance in secret, lest we find ourselves summarily deprived of meaningful due process. If we allow our government to continue operating in secret, it is only a matter of time before you or a loved one find yourself in a position like I was – standing in a secret courtroom, alone, and without any of the unalienable rights that are supposed to protect us from an abuse of the state’s authority."
Edit: Found the source. Link is: http://lavabit.com/
When I looked at the Dark Mail draft it was incompatible with regular email. And the trust models it has were basically the same as you'd get with Gmail today. End to end remained difficult (of course).
Plus it has weird stuff. Like a field for political party on all contacts or something.
Unless you're going to audit every single line of code Mega uses on their site every time you use it, that would leave you completely vulnerable to any backdoor included in the code (because of a court order or a $5 wrench).
Secure E2E Web Crypto is a myth.
The bottom line is that yes, this sort of setup would be worse than PGP email, but it would still be better than traditional web mail which the vast majority of people use.
On an interesting aside: You don't have to audit the code every single time. On first execution of the code, it can store itself in the browser's application cache indefinitely, and manage upgrades in the same style as traditional software. This is fairly new ground though :)
That may solve some of the distribution problems, but no browser-based software can ever be truly secure for a different reason: you have to run the crypto in the same process as the network and parsing code. All browsers have a history of security issues and other bugs in these areas. We should be minimizing attack surface, but browser designers instead decided to add more features that inevitably lead to more bugs.
The browser is an incredible "weird machine", and relying on them for security requires believing that nobody will figure out how to program that "weird machine". The solution is something in the style of the "agent" programs for ssh/gpg. The crypto - especially the private keys - must be done in an isolated process, so buffer-overflows and parser bugs at worst leak only the current data. If the crypto is handled in the browser itself, there is always risk that a bug will allow the keys to be leaked.
 ssh-agent(1), gpg-agent(1)
A lot of people are researching solutions like the app-cache approach to try and fix this, fortunately it's getting better!
Why not use PGP then? It's not hard.
gpg isn't difficult to use, hell my grandmother could do it. Concepts like private keys (this is the key you keep private) and public keys (this is the... well, public key) are trivial to understand.
You don't need to understand the technical details of encrypting and signing messages either, you just paste in the message and the pubkey key and encrypt.
It's by far the best email encryption solution we have right now, and I seriously doubt we'll be seeing anything better any time soon.
Yet any research we have shows that people, even technical people, make simple but critical errors.
That being said, the average native app implementing E2E crypto is probably still safer as of today for a number of reasons:
Binaries are typically signed by the developer, which isn't something you usually see in a web app using Web Crypto. Signing keys are easier to protect from unauthorized access, compared to your entire web stack.
With native apps, you tend to have far more control over code changes. You can chose your own update schedule and review new software versions for any critical component. A typical web app could change the code on every request. Web apps also make it a lot easier to pull off a targeted attack.
There's also simply a larger attack surface in general. Anything from XSS to phishing is much easier to pull off in a web app (though, as iMessage showed us, it's not quite that simple). Just think about how much effort browser plugins for password managers have to go through to prevent users from accidentally entering their master passphrase in some phishing form.
@chrisfosterelli mentioned the app cache approach of circumventing this - I guess we'll end up with some kind of trusted zone for crypto-related code in browsers, maybe with code signing and what not, sooner or later, and that might get us fairly close to the security of native apps. I don't think we're quite there yet.
PS: Thanks for writing acme-tiny!
Btw, you need to correct the WebCryptoAPI link in "Security and Philosophy" part of this page:
Clicking it gives me nothing. Copy-and-pasting the link results that resembles spyware. I think it's just missing a colon after http is all.
I haven't looked at the upload side but that's an interesting datapoint. Not sure how secure AES128-CTR is.
It would be great if a popular mail client came out that supported PGP as a first class feature , initially just signing messages to get awareness and support out, and then end-to-end encryption. I suspect that'll just lead to governments putting even more pressure on banning encryption though, e.g. in the UK where you can be jailed even if you legitimately forget or don't know the decryption key.
 Google released a plugin for Gmail a couple of years ago, but I mean supporting and enabling it by default. There's also the issue of whether a web application is really secure, so an open source desktop/mobile application is a must.
Defines fairly arbitrary list of non-extensible metadata including gender, alma mater & political party (pp. 60). Seems like this should be extensible and predefining a lot of that is short-sighted.
This seems similar to the Apple case, was Tim Cook just too big to bully ?
Snowden had his own encryption or used GPG so a Lavabit backdoor encryption key would not lower the entropy of Snowden's encryted emails.
Was Levinson's gag order lifted ? Why did Lavabit have to close but Apple didn't ?
[EDIT] Levison was not jailed.