I have been thinking and writing some diagrams and have chan

Question

I have been thinking and writing some diagrams and have changed my mind Hypotheses 1 Even if the user provides the public RSA key the user still can t be sure his her it s key is used when making the AJAX call 2 If the TLS connection is compromised compromised code can be added to the runtime adding keyloggers and other nasty stuff 3 RSA isn t efficient for large data blocks so the file downloading part I will have to approach in a different way Questions 1 Is browser end to end encryption a myth If the TLS connection is compromised doesn t that also mean that JS can be injected to sites lite ProtonMail New Approach 1 Client Before sending data to the server Axios middleware will request `https server com auth key` 2 Server Generate keypair maybe 2048bits if performance allows it 3 Server Encrypt `privateKey` with `applicationKey` set in env 4 Server Store `encryptedPrivateKey` in DB with an random `keyId` 5 Server Return `publicKey` and `keyId` to Client 6 Client The middleware will then encrypt the original payload with this `publicKey` and also provide the `keyId` 7 Client Sends request 8 Server Looks up `keyId` in DB and gets `encryptedPrivateKey` 9 Server Decrypts `encryptedPrivateKey` and gets `privateKey` 10 Server Decrypts request 11 Server Handles request