New feature idea for improving security when using hidden service

Many hidden services cannot run javascript, thus there is no way to do client-side encryption. But the need for client-side encryption does not go away. Suppose there are two parties doing a transaction through some middle man’s hidden service. Suppose this middle man is a bad actor or becomes compromised and the two parties are too lazy or unsophisticated to manually use encryption. Then all their information gets exposed. This is not theoretical, but has happened many times in the history of Tor.

My idea for resolving this is to add encryption and decryption functions directly into the Tor browser and these functions can be called by and HTML tags.

Services can just implement the encryption that fits their need? Also as far as I know when staying in the Tor network the traffic is never decrypted on any server.

Sounds interesting. Any other browser offering this option?

I am not an expert, and my first thought is that encryption needs some sort of secret key known to both parties. How to exchange these between both? Through the middle man’s hidden service? Then it is no longer a secret.

Maybe public/private keys could be the solution and this requires some degree of sophistication and thus exclude parties who are “unsophisticated to manually use encryption”.

This leaves the too lazy and, well, they ask for it.

Protonmail does something like this between two protonmail users.

Sounds to me like the three parties may be bad actors but this is none of my business.

Wouldn’t that fall under user error and not TBB’s fault?

Just saying…