Unless malicious JS is served in place of the <keygen> element, which would be largely undetectable to the user.

How would said malicious JS then install the generated phony certificate in your browser's cert store?

I'm talking about the step where StartSSL generates an SSL private key for you in the browser (unless you know to click "Skip"). No need to install anything in a browser store, it just brings you to a page with a generated SSL certificate using that key.

<keygen>'s really intended for client certificates used to authenticate to websites. I think that (for example) StartSSL use it to generate the private key you use to log into their site, but any private keys you create on their website for things like websites are generated on their server.

Interesting tag! I hadn't heard of that.

But even so, unless you actually inspect the live DOM and ensure it's really using that element for your session, and inspect enough of the rest of the code to ensure it's not some misdirection, you can't really trust it.

It's an old deprecated netscape tag. In Netscape/Firefox derived code, it's superceded by the 'crypto' javascript object.

The Netscape specific crypto JS is also gone now: https://bugzilla.mozilla.org/show_bug.cgi?id=1030963 replaced by the Web Crypto API.

Thanks, I didn't know that. But even if the spec says javascript on the page should not be able to extract the private key and XHR it somewhere, it's just a bug away.