Why? Because the US government has a strong and long documented history of murdering dissidents, especially in south america. Side A is unhindged guy, Side B has a very long rap sheet for murder. McAfees relationship with the intelligence community should be further investigated by private parties, ignoring a rap sheet like that is just as fantastical as conspiracy.
> Wouldn't work for me though as I have my browser set to nuke everything each time it's closed.
If you don't nuke your local storage, it should still work. I do suspect it may be more annoying without any browser history to go on because there's no model built, so you have to 'prime the pump' a little more than a user who has history would have to.
I would imagine it's either that or they're somehow querying localStorage for the existence of any data for a given domain to indicate that you've been there before (which obviously wouldn't work for sites that don't use localStorage).
With TOFU, "priming" equates to blind trust in practice. This is an important point even when you don't nuke on browser-quit. You can have TOFU (e.g., SSH), WoT (e.g., PGP), or PKI (e.g., TLS)... each with it's pros and cons. I can only hope that someday we have something without the "priming" hole of TOFU, the UX hurdles of WoT, and the fact that HTTPS doesn't really stop people from being phished.
I think opting in to the server side checking (which is a bit like the domain-based blacklists that modern browsers have, I think) is the best thing we've got at the moment, so long as that channel isn't compromised.
We rely on the whitelist to block all new threats, putting us ahead of domain-based blacklists. The server side checking is just to create a grade for privacy which you can look at for informational purposes as you browse.
