Is it possible to create a secure chat web application using just HTML5 and Javascript?
What possible security holes would there be if the server doesn't store the messages, just relay them using websockets, and the transmission is done over SSL?
What prompted me to ask this was I was wondering why Cryptocat was implemented as browser plugin. I assume it's thought to be more secure than a pure HTML5 solution, but why?
Actually, this has nothing to do with moving CryptoCat to a browser plugin/extension. It's not even related to SSL at all. Having that in mind, Stephen's answer is somewhat misleading. I'll attempt to address that. CryptoCat is still JavaScript & HTML.
Give me your full attention, assume that SSL is doing its job and you're 100% sure that you're connecting to the genuine CryptoCat server. If Nadim (the guy behind CryptoCat) was forced by law to reveal your future conversation, he'd simply detect when you connect (from your IP) and send you some rogue JavaScript that would make your browser use a custom key and therefor giving himself the ability to decrypt your conversation and giving them to the FBI, NSA, CIA, etc.
That form of security is called host-based security, where you give your complete trust to the service provider. Yes, your stuff are encrypted, but the encryption/decryption logic is coming from service provider, and they can send you whatever they want. CryptoCat was criticized by Schneier and other security researchers for this.
By moving the code to a browser plugin, now you need to trust the source only the first time you download code. Communication still happens between you and the server, encryption and decryption still happens in your browser, the code is still JavaScript and HTML5. The only difference here is that next time you connect to CryptoCat servers, you don't need to trust the code they send you. The code in your browser all the time, you can audit it and check it whenver you want.
Patrick Ball wrote a very interesting article on the subject; he explains the concept of host-based security and other related issues. It'll help you understand the big picture regarding this matter.
To directly answer your question, yes it is possible. CryptoCat is a great example.
Essentially, the only way to achieve this sort of thing is to send Javascript and HTML to the browser.
But the inherent problem is that the security of the entire system is entirely dependent upon serving HTML and Javascript to the browser. And this boils down to SSL and the Certificate Authority system. So at best, the security of any purely HTML and Javascript application is no better than that of the CA system we have in place — if you can exploit the CA system (which has been done), you can break the security of such a chat application.
