Re: The underlying point is deeper
@ Christian Berger
I should really not comment until after I've had my coffee and come round a bit, but... you are still a fucking idiot. Yeah, shows I'm an uncouth bitch, but I don't really care. The stupidity in your posts just goes beyond what I can put up with.
The point of all this is not defence against just black-hats, but against government abuse. Servers are always-on. Get a warrant (assuming they can even bother with that anymore), wander into datacenter and grab the relevant server image and copy of the memory. Full access (relatively) trivially. Even if you host your own, an always-on server is relatively simple to get full access to.
Your uses of mobile also seem very limited - the only usage shown in your examples is to browse web-pages. Mobile phones are capable of a lot more than that, including media, games, books etc., with access to the majority independant of internet access. Your scenarios go back to a dumb device that can do nothing without a connection. There are still people who get drop-outs and end up in places with no signal, or no cheap way of connecting to the internet.
Server operating system, plus terminal host - unfortunately, any way you wish to spin that, that is another operating system - plus comms channel ALWAYS required, and to get the full security of custom keys, both server and device need to be fully in your control to get the keys shared. No, the attack surface is pretty high, even if you trust the individual components more yourself, you are talking about all three to be fully secured with no vulnerabilities. The next aspect is who maintains the patches for the two devices and how do you trust them (I assume that you are not claming that the code for both needs to be maintained by the user)? Especially for what is supposed to be a mass-market, "consumer" device.
And your last point? Sounds like you agree with what I said about trust in the vendor.
Damn it - think the coffee is starting to kick in. I don't think we are so far apart about wanting there to be better security for everyone, just that I feel your vision is much too far a step backwards and rules out too many useful scenarios for a smartphone - which is after all a very portable computer - and you overestimate servers and underestimate smartphones. So to finish, I apologize for calling you a fucking idiot.