Re: Open source secure browser-based storage, with a $1000 challenge

If the remote server is the one supplying the Javascript code

Is this significantly different from downloading a "secure" application
written in C++ or Java?

Yes. I think there's a significant difference.

I don't download C++ source code from random remote servers and
compile and run it blindly.

I do download software packages from a site I trust (my yum repository),
but those are GPG-signed, and my client checks the public-key signature
before installing them. Moreover, they are installed only once, when I
(as sysadministrator) request that they be installed -- and not by my
web browser.

And because the source code is distributed from a central server, no
one need worry that they, alone, have a spiked copy of the software.

But that's just not accurate. A central server can certainly serve
personalized versions of the software to each client. For instance,
a central server might hand a different version of the software to
each user. More dangerously, a central server might hand one version to
Alice, but a different version to everyone else. I can imagine all sorts
of scenarios where a central server might be able to provide malicious
code to some people some of the time and not be very likely to get caught.

As a result, I think there are limits on how much confidence one can
have in the sort of scheme you describe. It might be adequate for some
purposes, but it would be easy to over-estimate the amount of security
it provides.
.