← All stories
● Covered by 1 source Β· 1 reportHigh impact

Web-based cryptography lacks true end-to-end security, expert claims

Aggregated by BrevFeed security Β· updated 2h ago
πŸ”– Save

The article argues that web-based applications claiming end-to-end encryption fail due to inherent structural flaws. It asserts that such systems cannot provide reliable security because the same entity that operates the service also distributes the cryptographic code, undermining security claims.

Key points

Inherent Flaws in Web-Based Cryptography

Web-based applications often tout 'end-to-end' encryption, but many lack the architecture to provide genuine security. Tendencies to claim full data protection do not hold up when scrutinized against the structure of web technologies.

The article emphasizes that the distribution model of web apps inherently compromises security because the server operator can modify the client-side code.

Understanding Threat Models

The author introduces a law stating that a cryptosystem is incoherent if the distributor of the implementation is the same entity that it seeks to defend against. This implies that web applications claiming to secure user data are fundamentally flawed because malice from the server operator makes it easy to alter client code.

Security against external threats is managed through TLS, therefore relying on 'end-to-end' encryption in contexts where the server operator is untrusted offers no substantial benefit.

Implications for Established Services

The argument extends beyond web apps, suggesting that widely-used applications like WhatsApp and Signal fall into the same trap. Both prevent the use of third-party clients, meaning their encryption promises might also be misleading.

This perspective challenges the security trustworthiness of many popular communication services, raising questions about real privacy levels.

Conclusion

The limitations of web-based cryptography have significant implications for internet security and user trust. Users of these services should critically evaluate encryption claims, as they may not provide the protections advertised.

Overall, this analysis serves as a cautionary note for both developers and users regarding the integrity of cryptographic systems on the web.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub w3c/ServiceWorker

Reporting from

The article argues that web-based applications claiming end-to-end encryption fail due to inherent structural flaws. It asserts that such systems cannot provide reliable security because the same entity that operates the service also distributes the cryptographic code, undermining security claims.