[icebraining]

True, it's the chicken-egg problem all over again[1].

That said, in theory they could provide a standalone HTML file with all the necessary JS code, which would only do a websocket connection to their servers for the SSH stuff, and would be easier to use in places where you can't install or run binaries. Yes, it could also download malicious code from the server, but then again, so can any ssh binary.

[1] https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

[dividuum]

It is possible to create a SRI enforcing bookmarklet and use that to bootstrap the rest of the app from untrusted sources. That way users could drag/drop their current version to the bookmark bar, thereby effectively "installing" and pinning the current version in their browser. See: https://news.ycombinator.com/item?id=17778402