“Any attacker who could swipe an unencrypted secret can, with almost total certainty, intercept and alter a web request.”
The Real Issue with Browser Crypto
However, the ultimate problem with browser cryptography is that there is no standard for innate, in-browser encryption. Very much like HTML5 and CSS, there needs to be an international, vetted, audited, cross-browser standard for browsers to be capable of securely encrypting and communicating sensitive information. There’s no denying the urgent need for such a standard , considering the ridiculous rate in which the browser is becoming pretty much the mainstream central command for personal information.
Update (Sep 14, 211): This post apparently sent Matasano Security employee Thomas Ptacek on a passive-aggressive tirade against me on his Twitter feed, where he posted a bunch of angry attacks that I feel really don’t speak well of Matasano Security’s reputation as a company. As a security researcher, I don’t appreciate having a particular company react against me with public personal attacks and rudeness when I take the time to write a considerate, respectful reply to their analysis.