[dividuum]

While that's better it just shifts the problem: Now you have to trust the JS code you're being sent. If an attacker can hijack their current approach, I would think that sending out modified JS wouldn't be to difficult to do either. The trust root currently when using SSH from your machine is an unmodified and non-hostile SSH client.

[icebraining]

True, it's the chicken-egg problem all over again[1].

That said, in theory they could provide a standalone HTML file with all the necessary JS code, which would only do a websocket connection to their servers for the SSH stuff, and would be easier to use in places where you can't install or run binaries. Yes, it could also download malicious code from the server, but then again, so can any ssh binary.

[1] https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

[dividuum]

It is possible to create a SRI enforcing bookmarklet and use that to bootstrap the rest of the app from untrusted sources. That way users could drag/drop their current version to the bookmark bar, thereby effectively "installing" and pinning the current version in their browser. See: https://news.ycombinator.com/item?id=17778402