Top
Best
New

Posted by enz 10 hours ago

Web-based cryptography is always snake oil(www.devever.net)
66 points | 75 comments
stymaar 8 hours ago|
> A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against.

This is both true, and also useless: pretty much any E2E system is falling under this definition.

By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

That doesn't mean it's snake oil though, as the entity you want protection against is generally not the software provider but a third party. Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

It also means you are safe from data leaks, which are by far the most common threat today.

No system can be secure unconditionally, it's always secure under a particular threat model. And in practice “the attacker is able to deploy arbitrary code on your behalf for an extended period of time without being detected ” is a much narrower attack surface than “the attacker is able to obtain read-only access to your DB or your backups for at least a few minutes”. In the former case, the encryption being broken is also the least of your concern, as you've basically given remote access to all of your user's devices at this point…

bigfatkitten 8 hours ago||
One thing you can do is have your adversary put their money where their mouth is and use the very same products, sourced independently, that they use to protect their own sensitive information.

There are limits to this of course. You can’t buy a TACLANE[1], but you can buy many of the other products[2] USG uses to protect its own classified information.

[1] https://gdmissionsystems.com/encryption/taclane-network-encr...

[2] https://www.nsa.gov/resources/Commercial-Solutions-for-Class...

crote 7 hours ago||
The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

A more modern example is probably the NSA aggressively pushing[3] for replacing classical encryption with post-quantum encryption, rather than taking the more conservative and probably-more-secure approach of layering the two - while at the same time mandating the use of two layers of those same algorithms for their own use[4]!

[0]: https://en.wikipedia.org/wiki/NOBUS

[1]: https://en.wikipedia.org/wiki/Clipper_chip

[2]: https://en.wikipedia.org/wiki/Dual_EC_DRBG

[3]: https://blog.cr.yp.to/20251004-weakened.html

[4]: https://defense-solutions.curtisswright.com/capabilities/tec...

tptacek 54 minutes ago|||
The NSA isn't aggressively pushing for PQC; the industry is. Note that the PQC standard we have was the product of a competition won by European academic cryptographers.
bigfatkitten 6 hours ago|||
> The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

The problem with these examples is that they weren't used in national security systems, which are the systems for which NSA has a legislated defensive responsibility.

Clipper was designed for use by the public; it was not intended to ever be used to protect classified (or even sensitive unclassified) information at all.

Likewise with Dual_EC_DRBG. The CSfC component requirements drew from the Common Criteria Protection Profiles, where Dual_EC_DRBG was never an option.

xg15 7 hours ago|||
> Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

You don't need E2E for that, using https/TLS for transport and servers hosted in the US would be enough.

stymaar 2 hours ago||
It will be enough until the server is pwnd and the data is leaked to the world.

Data breaches happen literally every day.

xg15 1 hour ago||
But that's OP's point. If the server is pwned, the hackers can simply change the front-end of the app and have it send the confidential data to wherever after it was decrypted on the client.
stymaar 1 hour ago||
See what I wrote above:

> in practice “the attacker is able to deploy arbitrary code on your behalf for an extended period of time without being detected ” is a much narrower attack surface than “the attacker is able to obtain read-only access to your DB or your backups for at least a few minutes”. In the former case, the encryption being broken is also the least of your concern, as you've basically given remote access to all of your user's devices at this point…

Data breach occur every day, rootkits being covertly deployed in production apps for a substantial period are much rarer. E2ee only protects against the former, like a safety belt only prevent you from frontal shocks. Nobody would say they are snake oil because of that.

eptcyka 1 hour ago|||
> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

But with repro builds and system transparency, hiding backdoors is impractical.

sandeepkd 39 minutes ago||
Not really, time and time again people have abused their position/influence to build backdoors almost into everything for good or bad reasons. The whole idea of third party audits was to ensure that there are checks and balances. Then again the auditors are lowest paid to get stuff done and they take word of the company for most part.

On other hand its quite natural, security is not really getting you direct revenue so business is least motivated in investing it or say continuously investing in it. The ones that do are doing partial lip service for most part.

conartist6 1 hour ago|||
It's not useless, I don't think.

If the software is open source and you only install new versions after their source code has been audited, you should be ok.

xg15 7 hours ago|||
> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

That's not completely true. If I can control when (and if!) the software updates and if there is some kind of vetting process to verify that the version I'm currently running does not contain a backdoor, I can treat it like a third party with respect to the server.

I agree with you though that most current software that are made to auto-update at any time without any oversight do not fall under this umbrella. Web apps definitely don't fall under it.

SoftTalker 57 minutes ago||
> if there is some kind of vetting process to verify that the version I'm currently running does not contain a backdoor

This would be extremely difficult, I would say impossible from a practical standpoint.

adirelle 7 hours ago|||
> the entity you want protection against is generally not the software provider but a third party.

This. The author is dismissing the whole web-based cryptography, or any end-to-end cryptography for that matter, on the basis of a one-dimension analysis.

upofadown 6 hours ago|||
But claiming that your system is end to end encrypted means that you are claiming protection from you and your system. This is mainly a truth in advertising issue.
stymaar 2 hours ago||
> means that you are claiming protection from you and your system.

Not necessarily. I push for e2ee everywhere I can for a completely different reason: when (not “if”, “when“) we get breached, we cannot leak sensitive data we don't have.

sscaryterry 7 hours ago|||
The article is nothing but a rant.
earth-tattoo 7 hours ago||
Craigslist used to have a Rants & Raves section for exactly these kind of things. I think they still have, but in old times it used to be so happening! Maybe hacker news needs to have one.
teravor 1 hour ago|||
a website can serve you a keylogger client and no one will ever know most likely, harder to do with binaries/sources
sneak 7 hours ago|||
> This is both true, and also useless: pretty much any E2E system is falling under this definition.

This is not true. I can build Signal from source from GitHub, and use Signal-the-service with the client (which did not come from Signal, but GitHub/my compiler).

Many cryptosystems are like this. In any case, if you are getting something from the App Store, you can get it once and disable autoupdates, which prevents the service provider (presuming they are the same as the people who published the app) from backdooring you at some point in the future. Alternately, even with updates, unless Apple is colluding with them to serve only you* a specific backdoored app, you can at least be reasonably confident that it's not specifically backdooring only you* in an undetectable fashion.

hamburglar 33 minutes ago|||
If you get an open source app from the App Store, is there any assurance it actually reflects the code in the repo? I’d think the signing step happening in isolation opens the door to tomfoolery.
stymaar 7 hours ago|||
> This is not true. I can build Signal from source from GitHub

Sure, but can you find an NSA-designed backdoor in the source code?

> you can get it once and disable autoupdates

Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync. Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?

What you describe may be possible for an intelligence agency, but completely out of reach for an individual.

> unless Apple is colluding with them

Given the most likely adversary is the US intelligence with a warrant, it's absolutely not far fetched to assume that in your threat model.

> you can at least be reasonably confident that it's not specifically backdooring only you

That's not really reassuring…

tptacek 50 minutes ago|||
Now the argument is shifting. It started out as "a cryptosystem can't be secured from the entity in control of its supply", and now it's "a cryptosystem can't be secured even given its source code because the NSA".
stymaar 35 minutes ago||
It's not shifting. It doesn't need to be the NSA, intelligence agencies are just, by far, the most likely attackers against Signal.
tptacek 28 minutes ago||
It's not the identity of the agency that makes the argument so slippery!
subscribed 4 hours ago|||
>> This is not true. I can build Signal from source from GitHub

> Sure, but can you find an NSA-designed backdoor in the source code?

You're moving the goalpost. They were responding to the claim suggesting it's impossible to get non-Signal provided signal.

>> you can get it once and disable autoupdates

> Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync.

That's demonstrably false. On one of my idle/backup phones I'm using Signal 8.8.2, released in April 2026, almost 3 full months ago. It can not only connect to the network but everything works, with every contact.

You might think of the official Signal client expiration, but that's client side (meaning that you can compile and use the version that doesn't have it) and..... 90 days, not "a few".

I don't have a concrete number for the server side of enforcement though (minimumVersions seems to be populated at start time, with the defaults not committed to the repo). It's not entirely unreasonable to assume that the lowest official supported version is the one that introduced the concept of usernames, and the only meaningful capability test is SPQR.

> Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?

I think disabling auto update was shown as a possible strategy against a silent, targeted auto update. Not a way to remain protected against the general CVEs.

Non sequitur.

stymaar 1 hour ago||
> You're moving the goalpost. They were responding to the claim suggesting it's impossible to get non-Signal provided signal.

That was never my claim. The claim is that you cannot protect youself from Signal being malicious if Signal is the maker of the software. Compiling the software yourself doesn't help against the kind of adversary in the threat model.

> That's demonstrably false. On one of my idle/backup phones I'm using Signal 8.8.2, released in April 2026, almost 3 full months ago. It can not only connect to the network but everything works, with every contact.

Lucky you, you only need to fully audit the codebase every 3 months.

I'm using the Signal apk directly so I'm painfully aware of the frequency of the breakages.

> I think disabling auto update was shown as a possible strategy against a silent, targeted auto update. Not a way to remain protected against the general CVEs.

I don't think you understand my point. I'm not talking about the CVE being exploited against you. The CVE will just push you to download the compromised update, breaking your “security through lack of update” policy.

upofadown 6 hours ago||
>...pretty much any E2E system is falling under this definition.

The definition is quite clear. It does not apply when the implementation is not distributed by the same entity that creates it for example. There are other related issues but the message here is that web based cryptography has a particular weakness when it comes to things like end to end encrypted messaging which makes it so bad as to be worthless.

stymaar 2 hours ago||
> The definition is quite clear. It does not apply when the implementation is not distributed by the same entity that creates it for example.

How can you be sure that the entity distributing the software didn't backdoor it?

> the message here is that web based cryptography has a particular weakness when it comes to things like end to end encrypted messaging

There's literally no substance about that claim in TFA.

onetimeusename 38 minutes ago||
Something I don't understand about this argument, which has been made before, is you can tie JavaScript to a specific hash with SRI. So you release the cryptographic code in public where it can be audited and then what runs in the browser verifies that was what loaded.

The host could inject malicious JavaScript from the host or change libraries but I feel like this is an avoidable problem because it can be audited much more easily than expecting users to audit JavaScript every time. People could even build known, trusted, web frontends. So I think there are mitigations if not ways to assure the browser is running trusted code.

figassis 8 hours ago||
The author is basically saying if you participate in any part of the encryption process, you're deceiving users in saying things are e2e encrypted.

Isn't this conflating encryption with trust? Of course whoever claims to encrypt your data needs to be trustworthy, and whether they actually are is another matter, but If my app allows you to generate a client side key, export it and use it to encrypt data client side and we only get the encrypted data, that is verifiably valid encryption.

I could be malicious and also send a copy of your actual plaintext to the server as well, but that is trivial to check (unless I'm being targeted and I am the only user that gets the malicious code, still, I can check). It's a risky proposition for an organization with vested interest in being seen as pro privacy.

But I get it, different conversation if the government coerces you, and the outcome depends on your bank account and ability to handle pressure.

p-e-w 8 hours ago|
> Isn't this conflating encryption with trust?

Absolutely, and the claim is somewhere between nonsense and pedantry bordering on nonsense.

The exact same thing is true for, say, Signal. The provider delivers the client, and they aggressively block non-official clients from participating. So the “ends” in end-to-end are ultimately controlled by Signal. But as long as you trust the Signal company not to insert a backdoor into your client, it’s still true that the company can’t read your texts.

sneak 7 hours ago||
Signal does not aggressively block non-official clients. I constantly use a modified version of Signal Desktop containing a small set of my own patches, and it always works fine. Also, while autoupdate is on by default for the Signal client (and it includes a time bomb expiration to attempt to "force" you to upgrade regularly (removing this is one of my patches)), you are free to turn it off and remove their ability to modify the code on your own system.
p-e-w 1 hour ago||
This doesn’t work on iOS, where you can’t selectively disable automatic updates for a single app.
somezero 9 hours ago||
The entire argument is based on the definition of an “Incoherent cryptosystem”, which is too restrictive to be useful for cases that you want eg. Tor is also developed and distributed by Tor people and it is supposed to protect you against everyone, including the Tor people.
TuringTux 8 hours ago||
I think the article raises interesting questions about trust, but I am also doubtful if the definition of the “incoherent cryptosystem” is useful:

The article argues that Signal is an incoherent cryptosystem, because they ship the E2E-encrypting Signal client (and could, hence, backdoor it) that should protect me, the user, against their own infrastructure snooping on me.

As I understand the definition, we would not have an incoherent cryptosystem if I used a third-party client on Signal's infrastructure. Said Non-Signal client would implement E2E encryption, and use the Signal infrastructure, so the entity running the infrastructure is different from the entity providing the client. But is this any better?

Couldn't “Non-Signal Corp.” be coerced by the government (or decide to build a backdoor for their own gain) just as easily as “Signal”?

So I don't think it matters if the entity distributing the client is the same as the one running the infrastructure. It matters if I trust the client. How to implement this (audits, OSS, version pinning, ...) is still an open question to me.

subscribed 6 hours ago|||
Perhaps Molly[1] could serve as an alternative client for you?

[1] https://molly.im/

sneak 7 hours ago|||
This is precisely why I have autoupdates disabled for my Signal apps. They're on by default, which basically gives Signal-the-org remote code execution on my machine (same as Chrome's built in transparent autoupdate gives Google RCE on your machine).
memoriyato3 8 hours ago||
technically you could audit your local copy of tor source code, build it, and then never upgrade it.

still this wouldn't guarantee that all the other nodes are not compromised

daft_pink 6 hours ago||
I don’t agree with this. While, it may be true that E2E carries risks of government surveillance.

E2E makes it less likely that your information will get hacked and reduces the risk that employees will access your information.

The reality is that these security claims are generally subject to internal audit and would need company wide collusion and the risk of a whistleblower or disgruntled former employee if they were violated provides some level of protection that a large tech company offering of e2e doesn’t mean some level of benefit from the user compared to perfect encryption security.

xg15 7 hours ago||
I feel the legal part is on point. It's also increasingly used by governments to have their cake and eat it too: "We'll completely lock down your devices and run all kinds of analysis on your data, but don't worry, it's all done on-device and all communication is encrypted, so our promise to protect your privacy is kept!"
tptacek 49 minutes ago|
Kind of a weird concern to be reading on HN, where the sentiment is overwhelmingly that these kinds of systems should be exempt from warrants and discovery.
tancop 7 hours ago||
this is one of the problems content addressed stores like nix and ipfs can prevent. every version of the code is immutable and impossible to delete. if the devs update the "latest pointer" to a backdoored release users can just stay on the old version or move to a fork. and in the happy case (honest developer) you get all the benefits of auto update.

for this to work in practice it needs to be paired with reproducible builds, open source and either p2p or server choice (use signal.mydomain.net instead of signal.org). but these are all things that already exist and none of them is really hard to set up. the harder problem is distributing community block lists of bad package versions but that can be done with atproto or simple ublock style filter files.

i think the real bottleneck for adoption is that the only browser with built in ipfs support is brave, the one thats full of crypto ads and affiliate link fraud. i dont know if firefox would ever take it up or we need to build a brand new browser. or find a way to do it one layer down with a system service.

sneak 7 hours ago|
Signal clients have a built in time bomb in each version to "force" you to upgrade after a period of time. It can, of course, be patched out (and I patch it out, along with other fuckery such as disappearing messages/expiring messages/remote delete) but to say that "reproducible builds + content-addressing distribution" solves this problem is basically false in practice.

Also, on iOS, almost everyone has app autoupdates turned on because that's the default.

hrmon 8 hours ago||
Many comments suggest that the definition and criteria proposed are infeasible and useless. They are not wrong. But still it points out something the layperson misses (or even many tech-savvy people): An E2EE service from A does not provably protect your data against A.
Panzerschrek 8 hours ago||
> The purpose of cryptography theatre is not to deliver actual security from a cryptographic perspective but act as a kind of magic spell

This reminds me Telegram, which promises to be secure, but requires giving it my phone number, which is the most insecure thing one can do.

prophesi 9 hours ago|
The discussion on the proposed solution is interesting

https://github.com/w3c/ServiceWorker/issues/1680

captn3m0 8 hours ago|
There are a lot of other implementations of this idea that don't necessarily rely on trust-on-first-use. The securedrop team explicitly includes malicious JS served by the primary-domain in the threat-model and made WEBCAT[0] as an outcome of that research. Their article on webcrypto is much better than this one.

The solution obviously is to go out-of-band:

> When a user visits a website that has enrolled in WEBCAT, before the site can load the content is checked against a signed manifest to ensure that it has not been tampered with (more on enrollment later). If everything checks out, the page loads normally. If, however, any content does not match what’s expected, the page load is aborted and a warning is displayed, protecting the user from potentially malicious content before it can execute.

[0]: https://securedrop.org/news/introducing-webcat-web-based-cod...

[1]: https://securedrop.org/news/browser-based-cryptography/

More comments...