Web-based cryptography is always snake oil
Nowadays, there is an epidemic of web applications purporting to offer “end-to-end” encryption. Examples might range from a file upload service, which allows you to upload and share files of arbitrary size and promises “end-to-end encryption”; or a web-based password safe service which claims that it can't see your passwords because they're encrypted; or a web-based cryptocurrency wallet.
The cryptographic claims made by these services are invariably nonsense. Indeed they necessarily must be, because the web as a platform does not possess the necessary functionality which would allow otherwise.
Fundamentally, all web-based cryptosystems are incoherent because they suffer from an incoherent threat model.
Let me start by coining a law, which is both obvious and yet, to my knowledge, novel and overdue:
A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against.
It is inherent to the model of the web platform that the code which implements a client-side web application is distributed by the given website. Thus the client-side code is always distributed by the operator of the web server.
In other words, web-based “E2E” applications claim to secure against malice on the part of the server operator using encryption implemented in client-side JavaScript, but this is obviously not true, since if the server operator was malicious, they could just push different client-side JavaScript. (Conversely, entities other than the server operator are secured against via use of TLS, so there is no additional benefit to “E2E” if you trust the server operator.)
The web platform does not contain any functionality which could be used to separate this relationship (e.g., to distrust server operators for the purposes of what client-side code can execute for an origin), so this problem is intrinsic to any attempt to implement “E2E” encryption in a web application. There are no exceptions.
It is worth noting that this law also applies to non-web applications where the service provider supposedly being secured against is also the client software distributor; thus, the “end-to-end encryption” offered by Whatsapp and Signal, amongst other proprietary services, is equally bogus. (Both Whatsapp and Signal ban use of third party clients, and enforce this policy.)
... continue reading