R-EDDIT

What have you learned from malware about programming that general programmers would do well to learn from?

When seat belts came out some people were convinced you'd be better off in a rollover if you get thrown clear from the car. That's probably a one in a million event, by it has happened at least once. It's like buying a lottery ticket, which lots of people do because people are bad at math.

Verizon stopped deploying FiOS once the cable companies started handing over LTE bandwidth. Coincidence?

A useful comment to address, how does E2E prevent (edit) malicious updates? The Google chrome model allows Google to silently update browser extensions, with no means for the user to block or verify updates. This risk was highlighted by a hn user who seems to share the same name as an e2e author.

https://news.ycombinator.com/item?id=6678550

If your browser gets JavaScript crypto from webmail.example.com every time you visit webmail.example.com then there's nothing stopping webmail.example.com from serving malicious JavaScript crypto that steals your keys or unencrypted data. Even though the JavaScript runs locally, the code is supplied by webmail.example.com. There's a discussion of this and a few other issues here: http://www.matasano.com/articles/javascript-cryptography/

JavaScript in web browsers also has a few other issues, such as side-channel timing attacks and the lack of control of memory.