Thanks Mike. You’ve actually hit upon the area that we are really focusing on. Our goal is to move to full mutual authentication between our browser extension and the web socket. Yes, it would be nice to encrypt that traffic, but anyone who can get into the web browser as the user can get everything filled into forms anyway.
So yeah. We could use ephemeral keys, but that would mostly just save us having to get into this current discussion every few months or so and provide little additional security for the user. Our goal is to move beyond “some reasonable checks” of authenticity to actual assurances. When we have that, then encryption will come (almost) for free.