Updated with new information and re-published on May 25, 2013.
“Any attacker who could swipe an unencrypted secret can, with almost total certainty, intercept and alter a web request.”
The Real Issue with Browser Crypto
However, the ultimate problem with browser cryptography is that there is no standard for innate, in-browser encryption. Very much like HTML5 and CSS, there needs to be an international, vetted, audited, cross-browser standard for browsers to be capable of securely encrypting and communicating sensitive information. There’s no denying the urgent need for such a standard , considering the ridiculous rate in which the browser is becoming pretty much the mainstream central command for personal information.
Fortunately, the W3C Web Cryptography Working Group, which I am a member of, is working hard on solving this problem.
Update (Sep 14, 2011): This post apparently sent Matasano Security employee Thomas Ptacek on a passive-aggressive tirade against me on his Twitter feed, where he posted a bunch of angry attacks that I feel really don’t speak well of Matasano Security’s reputation as a company. As a security researcher, I don’t appreciate having a particular company react against me with public personal attacks and rudeness when I take the time to write a considerate, respectful reply to their analysis.