The solution in 1 sentence reads: Once you view the web browser as an actor in the cryptography protocol everything else is classic cryptography i.e. your browser must authenticate itself by presenting a shared secret. That's it! (I’ll reply to your posts later, busy right now)