Javascript is now uncompressed and easy to read so that you can confirm what is happening to your data. If you are using Chrome, just right click on the screen and click "inspect data" to see the JavaScript.
Even if your message is secure, it is possible to track what IP address posted or viewed a deadrop. To protect against this, a user could simply use Tor to hide their location.
It is possible for the JavaScript that encrypts your message to be hijacked by a hacker on delivery. The hacker can then inject code into the JavaScript do whatever he wants. Although this is unlikely, you shoudn’t post sensitive information on deadrop.us without using “SSL”. You can do this by visiting https://deadrop.us and accepting the warning or by visiting https://deadrop.herokuapp.com. You will not receive a warning on the latter because the key is signed for this domain (*.herokuapp.com) even though they are the exact same website. This will ensure that the JavaScript originated from the proper server and that it has been encrypted to prevent manipulation on delivery.
This post by Matasano Security sums up a lot of the problems that are inherent with javascript cryptology tools. In the next few posts, we will highlight the main points and provide counter techniques to address all of these concerns. Although these problems in all likelihood will not affect the average user, in extreme security sensitive scenarios these counters should be implemented.
All information on Deadrop.us is completely encrypted before it even reaches our servers. There is no opportunity for us to read any part of the encrypted message. This can easily be confirmed by the community because Deadrop.us Javascript is open-source. All of the source code is completely open and encouraged to be scrutinized by the community. Only by doing this can we ensure the user of exactly what is happening to their data.
Deadrop.us servers never have the opportunity to view your plain text message or your password because your message and password are never sent over the network to the servers. Your message is encrypted via JavaScript within your web browser using your password as the encryption key. Only the encrypted text and the Drop name are actually seen by the server.
"A dead drop or dead letter box is a method of espionage tradecraft used to pass items between two individuals using a secret location and thus does not require them to meet directly. Using a dead drop permits a case officer and agent to exchange objects and information while maintaining operational security." - Wikipedia