Steve Bellovin on Nostr: nprofile1q…mvvfe There's another problem here. If the encryption is being done ...

nprofile1qy2hwumn8ghj7un9d3shjtnddaehgu3wwp6kyqpqsu4t3c2h2fl2ws6hfcnn5r7jdn87qvhvaafe5uv3hcwygxz3rjss4mvvfe (nprofile…vvfe) There's another problem here. If the encryption is being done client-side by *any* browser, it's being done by JavaScript—and who knows what the JavaScript is doing? I call this the trust-binding problem. When you download software or an update to it, you're making your decision to trust the vendor at that point. With JavaScript encryption and decryption, you're making that decision every time you load the page. This is a very different concept, and one that isn't make clear to users. (In theory, there could be browser extensions to do the encryption and decryption, but that's not easy for users, and there are many different browsers out there, with very different policies on extensions.)