displaying secret key in the clear. why ever do this?

Ekalb Thank you for replying. I do agree that the browser is the more hostile environment for the end user and prefer dedicated, signed, provable apps when possible. Especially when dealing with security stuff, but then everything on the box is security-related and part of the attack surface. amiright?

But I've been using 1P for only a few days now and haven't gotten to the desktop app yet - still at Step 2 in the "getting started". :) This was glaring enough for me to throw the WTF? flag.

Since it seems the web browser is required for some purposes/full functionality, your answer doesn't address the threat vectors nor the incomplete fxing of them, as described in my OP. And if your implying that the secret key is visually obfuscated in the dedicated app is true, you're really agreeing with my point. So, thanks (provisionally) for the support. :)