Well, without knowing the details of how they think two computers can reliably form a secure link without foreknowledge of each other, this doesn't exactly sound bullet proof. Self signed certs or something similar can only go so far. Hell, CA verified certs don't exactly go as far as most should be comfortable with.

Unfortunately, no: both browsers need to exchange volatile information to establish the connection. It includes information like how to traverse NATs to get to the other browser. You need some more centralized service to exchange that information and bootstrap the process.