Web Cryptography Is Always Snake Oil

A new post by Hugo Landau argues that all web-based end-to-end encryption is fundamentally broken. The core problem: the server that hosts the application also distributes the client-side JavaScript. If the server operator is malicious, they can push a code update that undermines the encryption at any time.

Landau coins a law: "A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against." This applies to any web app claiming E2E encryption—file upload services, password managers, crypto wallets, messaging apps. The threat model is self-contradictory.

The Incoherent Threat Model

Web apps rely on TLS to secure data in transit against third parties. But the server operator already has full control over the client code. If you trust the server, you don't need E2E. If you don't trust the server, E2E is useless because the server can change the code.

Landau points out that the same flaw applies to proprietary apps like WhatsApp and Signal, which ban third-party clients. Since the vendor distributes the client software, they retain the ability to bypass encryption. By any definition, that's a backdoor.

Cryptography Theatre

So why do companies invest in snake-oil crypto? Landau argues it's a legal maneuver: by adopting E2E, companies claim they cannot comply with warrants or subpoenas. This reduces their legal costs and liabilities. But this "magic spell" relies on a shaky legal theory that a company cannot be forced to compromise its own system.

Landau cites two cases: the Lavabit incident, where the FBI tried to force the owner to modify client code to decrypt Edward Snowden's emails, and the FBI-Apple case, where the FBI sought to compel Apple to create a compromised iOS firmware. Both show governments believe they can force compliance. The legal protection is weak and jurisdiction-specific.

The Dialogue

The article includes a fictional dialogue between Alice and Eve (the server operator). Alice quickly realizes that Eve's E2E encryption doesn't protect against Eve, and TLS already protects against third parties. Eve admits the system makes no sense technically—it's only useful as a legal dodge.

Why It Matters

If you're building or using web-based cryptography, understand that it provides no real security against the service provider. For true E2E encryption, you need open-source clients that users can verify and that are distributed independently of the server. Otherwise, you're relying on the server's goodwill, which is not cryptography.

What You Should Do

  • Audit your own systems: if your client code is served by the same entity you're trying to secure against, your threat model is broken.
  • For sensitive applications, use native apps with reproducible builds and independent distribution channels (e.g., F-Droid, package managers).
  • Be skeptical of any web app claiming E2E encryption unless it provides a verifiable, static client that can't be updated server-side.
  • Consider the legal implications: don't assume E2E will protect you from government requests—it's a legal theater, not a technical guarantee.