Ironically, with Javascript it would be a lot easier for normies to secure and encrypt their transactions, using their locally generated private keys. The elliptic curve used in all of these is R256, not K256 (Koeblitz) used in Bitcoin/Ethereum, and some believe it might have been selected by NIST because of some cryptographic weakness.<p>The only way it could be secure, however, is proving that the entire HTML + CSS + JS bundle matches a hash and has been vetted by multiple auditors.<p>Without Javascript running on the page, you could theoretically scan QR codes with your phone, but this would generate requests from your phone to an arbitrary URL and wind up in your DNS logs. If you’re looking for privacy as well as security, it might not be great.<p>An alternative might be to download HTML+Javascript to your local computer, where you generate keys, and click links to go there and back (use it for auth and signin).<p>The best way, these days, is to not use Tor but something like SAFE network or Freenet. The SAFE (previously MaidSAFE) network actually uses a hardened Kademlia DHT that redacts the IP address after the first hop. There was also the Hypercore ecosystem with Beaker browser but there, IP addresses are exposed and can even be DDoSed.