Mike,
>I can't trust any javascript that your service sends to my browser over Tor, because you don't use https.
Great feedback. We are installing the cert in the next couple of weeks, there is a process for that, and the kind of cert we want takes a little time and work. We are still looking for feedback during that period.
>How do I know that script came from your server and that it's not a modified version which came from an exit node, which is going to report the key back to them after it is generated?
This is one reason we would like to create a client side plugin for the TOR browser. Any ideas how this would be done? I would also like some online pointers about how the javascript client side encryption (we are using cryptico https://github.com/wwwtyro/cryptico) could be hijacked so we can endeavor to thwart these exploits.
>HSTS should be used so browsers remember to use https, and you should contact the Chromium project to get yourself on their list of pinned SSL sites for first time visitors (which is also used in Firefox now I believe), and is also used in the HTTPS-Everywhere project for rule generation.
Wonderful! Thank you so much! All pointers and references are aprecciated!
Clay