Web-based cryptography is always snake oil
6 hours ago
- #cryptography
- #web security
- #legal loopholes
- Web-based 'end-to-end' encryption is fundamentally flawed because the server operator, who you're supposedly securing against, distributes the client-side code and could push malicious updates.
- Such cryptosystems are incoherent as they fail to separate the entity being secured against from the one providing the implementation, making them essentially backdoored.
- Companies adopt snake oil cryptography primarily as a legal maneuver to avoid warrant and subpoena obligations, not to provide real security.
- Legal reliance on this model is risky, as government actions like in the Lavabit and FBI–Apple cases show that authorities can and do demand compromises.
- Web platform constraints inherently couple client-side code distribution with the service, making meaningful cryptosystems impossible without a paradigm shift.
- Potential fixes like using service workers with subresource integrity have limitations, such as trust-on-first-use issues and user verification challenges.