It's only a joke if you don't trust the js script. Just like any encryption or software is a joke if it is untrustworthy. Unless you have the source code, it is verified and you compiled yourself, then there is always a point of weakness there. You could say the same about SSL certs and HTTPS on any website, you are blindly trusting VeriSign (or cert authority).
But with SSL your root certificates change rarely and you can control them, as well as freeze certificates for specific websites. With Javascript code you don't have that kind of control and if you did it would require a massive change in the approach of creating a webapp in order to be managable.
It's not an insurmountable problem though, I would like to see an attempt at solving it (a browser extension would be required, but arguably you could have much greater transparency in updates than even most package managed apps if you used readable JS).
Fair point, and a browser extension that would detect changes in he script would be easy enough to build. The point is, for the vast majority of users, freezing certs and such is not common (I didn't know you could do that for example) and they would rely on the site to specify the cert to use.
It's not just a matter of trust. If you verified the JS, you could trust it. The issue is that it's very easy to inject things into an HTML page on the fly. It would be like trying to say that you could trust GnuPG, but you download it from the internet and install it every single time that you use it. That's a huge attack surface.
With a small caveat for HTML5 apps where you can install a verified version of specific code you trust in your browser or your phone. And Node.js applications which run on the server side in a controllable version.
But above is just a nuance. I agree on the basic idea when it comes to Javascript you run in the browser, it is a lost battle - unless I get a SHA256 of every version of every javascript library and compare to that, and disallow other unreadable (random emscripten junk) scripts on random pages you visit while browsing. That is why I have NoScript installed, and only allow handpicked sites to run javascript in the browser.
If only we would have had the declarative approach (I still am a little grumpy that the browser makers abandoned W3C and the far better designed declarative technology XHTML2 + XForms to pursue what is now HTML5).
It's not js that's the issue, it's the fact that the server can change the code at any time without the user being notified. So mega can backdoor its own encryption code at any time to retrieve your keys.
It's broken by design, it's not a flaw of js per se.
Your mobile & desktop OSes etc all have a silent automatic update mechanism. Installed programs can start services silently and download executable code in the background and use it as they want. And governments take advantage of these facts regularly.
That's why they created the browser extension. It might even come signed. At least you can read the source in plain text, unlike a compiled binary.
Google play services is one example. Any app can download executable code in the background without you realizing what is happening. Apple has some mechanisms of their own coded in if necessary.