[sp332]

Right. Matasano is pointing out that securing communications with JS is basically doomed. But they admit that if you can secure the transmission of the entire contents of the page (HTML, JS, everything), then your JS crypto should be OK. They just can't think of a reason to do that, which obviously you have. :)

edit: sneak points out that you have Google Analytics loading on that page, so your data could be compromised that way - theoretically :)

[sneak]

> But they admit that if you can secure the transmission of the entire contents of the page (HTML, JS, everything), then your JS crypto should be OK

Nope. The server operator can still serve you (perfectly secured over an SSL channel) backdoored javascript crypto code.

[jeduga]

Which can be clearly viewed by the community.

[sneak]

Only for that point-in-time. Nothing stopping it from serving backdoored JS _just to your IP_, or _just for five minutes that one time_. Dynamic web app, remember? :)