Hasty Briefsbeta

Bilingual

Web-based cryptography is always snake oil

6 hours ago
  • #cryptography
  • #web security
  • #legal loopholes
  • Web-based 'end-to-end' encryption is fundamentally flawed because the server operator, who you're supposedly securing against, distributes the client-side code and could push malicious updates.
  • Such cryptosystems are incoherent as they fail to separate the entity being secured against from the one providing the implementation, making them essentially backdoored.
  • Companies adopt snake oil cryptography primarily as a legal maneuver to avoid warrant and subpoena obligations, not to provide real security.
  • Legal reliance on this model is risky, as government actions like in the Lavabit and FBI–Apple cases show that authorities can and do demand compromises.
  • Web platform constraints inherently couple client-side code distribution with the service, making meaningful cryptosystems impossible without a paradigm shift.
  • Potential fixes like using service workers with subresource integrity have limitations, such as trust-on-first-use issues and user verification challenges.