The blockchain.info model is usually presented as the best available to store money easily. It’s nicely summed-up in its description:

The amazing part is the encryption is all done within your browser, before it is saved on our servers, so not even we have access to your account!

Which is a bit misleading: if the wallet code is served dynamically, it can also be dynamically and selectively changed in order to leak keys.[1]

It goes further when one realizes that Blockchain.info uses the DDoS-mitigation service of CloudFlare. It is a trade-off, in exchange for protection, you have to give up a great deal of security.[2]

Because it has to terminate the TLS tunnel, CloudFlare gets to see and alter all the traffic flowing both ways.

That can not only be used to alter the data on-the-fly, but more importantly to sniff signed transactions and AES-encrypted wallet blobs.

In other words, CloudFlare can, without ever being detected:

know which wallets are fat and ripe, and apply offline brute-force key cracking techniques on their specific AES blobs [3] ,

, de-anonymize Bitcoin addresses by mapping them to the IPs from which signed transactions originate.

It’s ok though, the NSA doesn’t care.

[1] The way this is usually dismissed is by arguing that clients can run a client-side code verifier, which is theoretically true.

[2] See: The CloudFlare MITM

[3] Think your password is strong? Think again.