Another approach to securing web apps (against a malicious server) is to let the browser enforce that each web app's code matches a pre-approved hash. The technique for doing this was described in a comment thread on Hacker News a couple of years ago[0], and involves using SRI and a bookmarklet.<p>The limitations are that the web app's domain doesn't appear in the browser's address bar, and of course you need some way of deciding out-of-band which hash corresponds to a safe version of a web app.<p>Once you trust a specific set of code to do the encryption for you on the client side, there should be no problem in having it send the encrypted data to the server for storage. Decryption would be done on the client using a key derived from a passphrase which the user chooses, and which is never sent back to the server.<p>An example of some encrypted data that could be sent to the server is a string defining which version of the web app the user wants to run. This requires an initial bootstrapping phase of the web app which checks this user setting before pulling in a particular version of the rest of its code. Again, the user would have to use some out-of-band mechanism to decide whether a new version of the web app really is safe or whether it has been backdoored.<p>[0] <a href="https://news.ycombinator.com/item?id=17776456" rel="nofollow">https://news.ycombinator.com/item?id=17776456</a>