Open
Description
Maybe you could consider adding support for this signed pages browser add-on.
The idea is simple:
- Devs sign the page with PGP and use subresource Integrity (SRI) in order to assure all resources loaded from that site are valid. (thus indirectly also signed)
- Browser extension verifies this.
That can protect against the "server trust" problem you still have with Threema Web – actually, with every web application. (as discussed in #52) At least it would protect against a server compromise, not against you (dev/Threema) acting evil, of course. So it's a bit limited threat model here, but it is certainly better than without that verification.
And BTW as another advantage, it would also allow anybody to verify third-party self-hosted instances of Threema Web.