[Everlag]

Oh come one. The issue was with the developer using the environment that browsers present incorrectly and it wasn't an inherent flaw of the language.

A stupid/malicious designer will always exploit features of a language to reduce/eliminate the security of the entire system.

Don't be hating on js for the sake of hating on js!

[simias]

It's not js that's the issue, it's the fact that the server can change the code at any time without the user being notified. So mega can backdoor its own encryption code at any time to retrieve your keys.

It's broken by design, it's not a flaw of js per se.

[mahyarm]

Your mobile & desktop OSes etc all have a silent automatic update mechanism. Installed programs can start services silently and download executable code in the background and use it as they want. And governments take advantage of these facts regularly.

That's why they created the browser extension. It might even come signed. At least you can read the source in plain text, unlike a compiled binary.

[gurkendoktor]

Which mobile & desktop OSes do that? The only software that automatically installs updates on my Apple gadgetry seems to be Google Chrome.

[mahyarm]

Google play services is one example. Any app can download executable code in the background without you realizing what is happening. Apple has some mechanisms of their own coded in if necessary.

[gurkendoktor]

Do you have more information on Apple's mechanisms? I can't find anything (and I'd like to turn them off :)).

[mahyarm]

You can't turn them off without jailbreaking, then you can download tweaks to turn them off. One I remember from years ago was the 'app blacklist' disabler.

[DanBC]

It's not hating on JS for for the sake of it though.

Some environments are very hard for cryptography. Javascript in the browser is inherently tricky for cryptography.

[josh2600]

I'm just gonna leave this here...

http://www.matasano.com/articles/javascript-cryptography/