Yes, the human factor can't be eliminated but I think it is dramatically reduced if the transaction signing takes place on the client side, in browser code. If the correct javascript is running, the owner doesn't have access to anything giving him the ability to take the funds.
What the owner does have access to do, is to serve up the wrong code and steal the funds that way. But doing so immediately exposes the actor to the potential of getting caught (and before he has even been able to profit from it).
What the owner does have access to do, is to serve up the wrong code and steal the funds that way. But doing so immediately exposes the actor to the potential of getting caught (and before he has even been able to profit from it).
I've thought of that as well but this exposes two surface for attacks.
First is the owner can serve up code to steal, not funds, but the key/password necessary and send it back. If I were to do this, I wouldn't send the bad code every time. I'll just set my server to serve up an edited copy of the .js every X transactions. Just a matter of time before I get all the public key and minimize the possibility that anybody checking would hit on the sneaking in. And I definitely won't do that until volume is high enough to justify it, so early scrutiny won't help here.
The other surface is by shifting the signing to the client side, it opens up vulnerability on the user end. A single server(cluster) may be safer in the hands of a group of competent admins, but trying to ensure thousands of users are trojan/virus free? Kinda hard
(1) I see what you're saying, the owner would be more inclined to take the key. However it is still very different than having unfettered, and hidden access to the key. The owner would need to make a public move, even if that move is only every X transactions. He's taking a risk before reward. And this might expose him for days before any significant payoff which is much different than simply walking off with the $1M in holdings on the server.
(2) I don't think the key is any less secure in the client browser. Suppose you keep the key on the server- a trojan hijacking the user still has access to their password, through this, to their funds on the server.