Too bad it's not sent securely.

ChrisClark · on Feb 28, 2014

It's not sent at all. Everything seems to be generated locally.

adambard · on Feb 28, 2014

The code to generate keys locally is still sent over an unsecured connection.

jleehey · on Feb 28, 2014

Why does this matter? You'll need to get the code somehow, and once its on your machine, it doesn't make any requests. You can take a look at the code to find out if its malicious or not.

bitJericho · on Feb 28, 2014

How on Earth would you be able to (easily) tell if the scripts loaded into memory are the scripts at the legitimate URL location? Eg:

    <script type="text/javascript" src="/js/lib/bitcoinjs-min.js"></script>
    <script type="text/javascript" src="/js/lib/jquery-2.1.0.min.js"></script>
    <script data-main="/js/main" src="/js/lib/require.min.js"></script>

jccooper · on Feb 28, 2014

You can still verify that it's not communicating. Browser (and/or OS tools) will show that easily.

What you can't verify easily (without inspecting the source through your browser) is that the keys its giving you are brand new. Figuring that's a bit more involved--and you'd have to do that every time you load the page. Which really kills the ease of using a website.