[pwlb]

Core mechanisms to prevent Man-in-the-Middle are missing in the article: PublicKey/certificate-Pinning or PKIs. Cryptography is best left to the experts, most of todays javascript developers are probably missing the knowledge to implement or use it in a correct way

[px43]

Those are browser features, not JavaScript features. This is an article about JavaScript.

[bawolff]

No, those are crypto concepts.

You can implement them in javascript or any other language you choose. (Doing so in client side js is probably a stupid idea, but so is pretty much everything in the article. Its definitely possible though)

[px43]

Can you explain to me how you think certificate pinning would work in JavaScript? That doesn't make any sense.

Client-side crypto (even in JavaScript) has its place, but certificate pinning is specifically a TLS thing, and IMO not relevant to this discussion.

[bawolff]

You have funcs to make public/private key pairs. Funcs to sign things. You can make your own PKI in the usual manner. You could then pin on specific keys in your chain of signatures if you want.

Why you would, i dont know. Its a terrible idea like most use cases for js client side crypto, but you could if you wanted to. Then again, cert pinning is a mostly terrible idea in the context of TLS too.