Missing web security feature: Signed web assets with browser validation
It is finally expected that reputable websites use TLS for all connections. Google, Bing, Facebook, Reddit, many smaller websites, even this blog – we all use HTTPS by default. This protects the privacy and integrity of internet browsing from intrusion near the user, or between the user and server. At the same time, though, a security threat is encroaching from the server direction. Increasingly, no one except a few large corporations has control over their servers anymore. Even data that needs to conform to HIPAA security requirements is being moved into "the cloud" – which is to say, onto computers managed by a few companies. This is primarily the largest cloud provider, Amazon; trailed by Microsoft, IBM, and Google. It's not just that the servers reside at these large providers in the form of virtual machines which can potentially be accessed by the provider, or any government that can compel them . It's also that increasingly, servers are being abstracted awa