[emagdnim2100]

This is far from true. Client-side crypto at least gives you the ability to inspect outgoing network traffic. This should help to keep site operators honest.

The site operator can of course nefariously and randomly serve JS that exfiltrates keys, but users at least have the _ability_ to audit every single transaction.

[EGreg]

The Web is terrible for secure crypto, the best you can do is session secrets. However, they're working on a new standard that will finally allow you to store private keys securely. Until then, write your own native apps with webviews and browser extensions with local js that can be audited.

[lewisl9029]

> However, they're working on a new standard that will finally allow you to store private keys securely.

Could you link to some more reading on this?

[the8472]

That I assuming that every type network request is covered by available monitoring tools and that they are user-friendly. What if web browsers allow you to trigger DNS lookups without HTTP requests? That could already be used to exfiltrate data.

[JetSpiegel]

> What if web browsers allow you to trigger DNS lookups without HTTP requests?

Just include hidden links in the page, most browsers have some sort of pre-fetch optimization that does exactly that. I think they make HTTP connections on hover even.

[anonacct37]

Meta DNS prefetch tags allow this.