[rdl]

And worse -- it only needs to send that special password prompt page to a specific IP or user of interest, and maybe only when it comes from a mac box (if the victim is known to do auditing on a linux box, but uses it as a regular client on mac).

Shipping packaged software with evil inside to ~everyone is risky because at least one user is likely to find a bug (accidentally) and try to trace/reverse/whatever (or, at the very least, if you do networked evil, some kind of IDS/firewalling).

Per-user downloads, especially at time of each use, are vastly more risky; this is the "hushmail attack".

[maxtaco]

We're definitely worried about the hushmail attack, and we disclaim browser-based crypto on the site for those who want to protect against powerful adversaries. Some users might not have those concerns.

You've obviously indicated valid concerns, but note, they're not indictments of storing an encrypted private key on the server so much as they are of browser crypto.

[rdl]

Yeah -- from what malgorithms says, you're actually on the path to removing dependency on a given binary being "near" my key material. I trust you guys more than enough for now; I just don't want to have to trust you if this gets wide adoption in 2 years once you become an actual target.