Custom-engineering backdoored client software, and rolling it out to a subset of users in a targeted attack, is not comparable to storing everything in plaintext on the server and looking through it whenever the fancy strikes. Practicality matters a great deal in information security.

Yes, it is perfectly possible to do the former – just like it is possible to enter any home and simply bug all hardware inside. That doesn't mean this scenario should be part of a normal person's threat model.

The article is correct in the sense that technically, web-based cryptography requires a degree of trust in the server provider. But the article is utterly wrong in concluding that this makes it snake oil, because attacks are substantially more difficult and costly.

[1] https://news.ycombinator.com/item?id=36386884

The lack of a distribution trust model for the web has long bummed me out, but even snake oil E2EE is a good thing because it makes an active (and potentially detectable) intervention necessary to exploit a client.

Supply chain attacks remain a huge mess. Unless you can validate the worthiness and authenticity of an update, or sandbox it sufficiently, most software can become a threat.

A more manual, opt-in update process for web apps (via service workers) would be a nice innovation, but I doubt it would provide much more safety to non technical end users, since the harder question is whether a particular update is harmful. Solving that verification problem is the crux of the issue regardless of how rapidly software updates.

It does not seem to me that there is any middle ground, barring writing your own client, from scratch, against an open protocol.

EDIT: seems to me that web-based e2e encryption, as described here, still protects you from irresponsible employees of the service reading your messages. And database leaks etc. Getting an update that spies on customers shipped is not a trivial thing in most organisations.

The government using all its coercion forces WhatsApp to update everyone’s app with compromised code. If I simply refuse to download the update, it is impossible for the government to know what I sent?

Let us say I do download the update. I suppose something extremely crude like downloading all messages ever sent client side and just sending it to the server again needs to be done for the govt to access my message. Presumably you would know if such a breaking update was happening through the news and just refuse to update your software.

If the government forces WhatsApp to permanently use backdoored code in the future, then it’s no longer E2E encrypted.

Purportedly E2E provides some degree of protection against an authority of infinite coercion capability like the government. If we are talking about the government, they could just arrest you, torture you and get access to your messages client side if they want to. I think E2E encryption is even more helpful when it comes to protection against opportunistic actors like employees of the company offering the messaging service. I can be assured that no employee can ever sell my data, even if they were bribed, or any Man In The Middle attacks are also rendered pointless.

The authors definition would consider 1-password an incoherent system, yet it's exceptionally effective at mitigating a whole class of attacks. You could argue that any system where you don't control at least 1) the update mechanism, or 2 the keys isn't sufficiently secure. That's one valid approach, but I would recommend anyone who thinks this read Reflections on Trusting Trust: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref....

The more interesting and important problem isn't preventing all possible attacks. It's knowing what attack vectors are worth preventing, and what the consequences for a successful hack are. It's definitely not black and white

> You could perhaps call this cryptography theatre. The purpose of cryptography theatre is not to deliver actual security from a cryptographic perspective but act as a kind of magic spell which (the user believes) gives them a magic opt out from the obligations conferred by warrants and subpoenas. Thus, cryptography theatre must fundamentally be understood not as a cryptographic technology but as a legal one.

dude drinks too much coffee. Of course I wouldn't trust WhatsApp to not give away my conversations to the NSA. But if I'm using WhatsApp in a Starbucks on their wifi, some script idiot next to me can't read my conversations. Not like I use WhatsApp (or talk to people, really) but the security here is on a spectrum.

The histrionic use of "snake oil" is silly. Only idiots think that secrets are safe under all conditions, viz, the above. The real world meaning of secure is to make it very (very, very) difficult for bad guys to get access to your stuff.

It is neither reasonable nor desirable to have some kind of perfect world where no mistakes can be made to help bad guys get caught. If this can be done with almost zero good guys being compromised, good enough.

Sanctimonious sneering about 'theater' when WhatsApp, Signal and iMessages make practical security available to the masses is, well, sanctimonious. Unpleasant, even.

2. The author's argument also applies to the App Store distribution model. Apple or Google may choose or be compelled to publish an app or OS update that is only visible to certain users. By default, iOS and Android install app updates without user approval. (You can and should, of course, disable that if you're concerned about such things.) The key difference is that app developers can't mount targeted attacks in this manner; only Apple and Google can.

3. Here's a simpler iteration on the author's idea for applying subresource integrity to service workers: an "immutable" variant of the https scheme that requires the lowest level of the domain to match a hash of all resources loaded on the page. JS is only enabled if the hash matches.

https+immutable://mhzwdnyyv5turofr8kkivabqyvamg7yteeitzwrg64o00taouw.signal.org

As far as I can tell, this mitigates the issues outlined by the author, and has the following nice properties:

- You can bookmark the URL and be certain that the code can't change in future.

- You can share the URL with someone else and be certain that they will be served the same code.

- Not affected by client-side state (e.g. cache) and thus can't be abused for fingerprinting.

- No risk of bricking the app in perpetuity.

- Thanks to Certificate Transparency, the existence of any published update is public knowledge.

Then how can you trust what the server sends you at all?! Infinitely worse than the situation described in the article!

My attacker must have been someone on the school network. They deleted a lot of things (it was purely destructive) but I saw in access logs that they were stumped by the admin panel which asked for the password again. I had entered my password of course, but the login form had client-side hashing. They can take my session token, but my password was safe. I used the password in other places as well, I think even for my email because I wanted both to be secure and it was a good password (my logic as a 16-year-old), but it was never compromised.

I did change it in case they could brute force the hash at some point (small chance), but client side hashing saved my ass from passive observers. Later, I was a passive observer myself with airmon-ng, exploring public WiFis (no malicious intent, though). Writing and injecting custom data into the traffic was beyond my skill level, as it seemed to have been for those schoolmates.

TLS makes a lot of things better, but on the need-to-know principle, I still feel like client-side password hashing has merit. The server never needs to know your password, it just needs to do a quick single round with secret pepper to disallow a pass the hash attack.

(I first used that specific phrasing a bit over a year ago, judging by HN search.)

A large part of why I call it snake oil is that it’s generally being sold as an inherent and unassailable virtue, when in actual fact it’s nowhere near as perfect as practitioners of it try to convince you (and most of their marketing claims are flat lies, though some do word things more precisely), and you make significant compromises in usability and functionality, which they don’t tell you about. From a convenience perspective, end-to-end encryption is simply dreadful and that’s all there is to it.

I wish we’d ended up with everyone hosting their own stuff instead, with completely decentralised infrastructure, which obviates extra end-to-end encryption (since transport plus storage encryption achieves just as much, and far more conveniently). But we haven’t, and there’s no realistic hope of ever ending up there with how we use tech now—it wouldn’t be particularly practical.

IOW, if you decide to stick w one version that is shown to be without a doubt E2EE then certainly you are better off than with just TLS.

Furthermore, this article only focusses on in-transit encryption (TLS). What about encryption at rest? It can perfectly be viable to have an E2EE service provider keep my data stored in zero-knowledge fashion.

Lastly, typically an E2EE service provider's reputation and business rests on keeping their word. There is not a whole lot of incentive to break it, given the jurisdiction they reside in allows them to refuse compliance w secret services.

IMO this is fear-mongering. At the very least equating even this supposed "snake oil" E2EE with mere TLS seems out of touch w reality.

I wonder if the auther himself personally too avoids E2EE messaging services.

- Customer-Managed Encryption Keys -- US cloud providers love to market this

- Confidential Commuting -- where the root of trust is either the same company (AWS) or a US processor manufacturer (Azure, Google).

1. All cryptographic keys controlled by the users.

2. Some way to confirm you are actually connected to who you think you are connected to.

3. A way to confirm that the code you are running is not leaking keys/content.

This rant covers a particular aspect of #3. E2EE is hard. It is too bad that the marketing is working overtime to convince us that it is not.

Even if the encryption itself is done using a 3rd party trusted library that is definitely kosher, the endpoint may have been compromised to leak whatever information to the public web.

Ergo there is no such thing as e2e encryption unless you have military level control over both ends of the pipe and the pipe itself.

Service providers are made up of employees, contractors, interns and temps. Given a pile of easily searchable user information one of these individuals working for the service provider is going to start poking around that pile of information for reasons not aligned with providing the service. (Boredom, compromise, love interests, personal activism, etc).

End to end encryption terminated on the client puts a powerful boundary between the individual user and the individuals working for the service provider. It makes your private data strictly safer.

The first was Hushmail.

https://www.wired.com/2007/11/encrypted-e-mai/

The things is that “attackers gaining read access on a database” is (unfortunately) a much more common threat than “attacker can execute arbitrary code on the server instead of the application for a long time”.

Consider, for example, Signal's progenitor, TextSecure, or E2EE for RCS.

What's stopping a government from compelling these services to ship backdoored code and then compelling the telco to spill the now-vulnerable ciphertext — which doesn't also stop them from doing the same to modern Signal?

I would also argue that the FBI/Apple example is exactly that scenario — the code being distributed by a different entity (Apple) from which it purports to secure against (any party with physical access).

Remember Crypto AG in Switzerland, owned by CIA. Chinese and Russians never bought Crypto AG secure phone systems.

I trust Metamask and 1Password and Meta with their claims of not sending my secret keys to their servers. Just take their word for it!

I trust Apple with their claims about the “secure enclave”

I trust Google with their claims about Chrome not “phoning home” all my keys

I trust Intel with their SGX extensions (and Signal does also)

I trust AWS with their KMS (“key management service”) and so does Magic crypto wallet etc. and even “the experts” like tptacek tell is “just use AWS”

If we ran the national elections electronically, then in theory, Google or Apple could defraud millions of voters into recording incorrect votes and help steal the election.

Our hardware is made by only a few companies. They could have put all kinds of backdoors.

I am not going to go so far as to say the NSA promoted weakened EC2 crypto curves, but I guess it’s possible

But in general, everyone has a Trusted Computing Base:

https://en.m.wikipedia.org/wiki/Trusted_computing_base

Which is why I don’t want to rely on individual devices for security. I prefer a blockchain and having multiple devices secure data.

In a previous life, the killer app for E2E was "encrypted email" where a lot of companies would claim they do email encryption by having outside recipients visit a website for which the recipient would get a password by SMS in order to read the email sent. And because the website was hosted by the sender on HTTPS... voila, encrypted email. And the sales people from this companies all kept a straight face when explaining how secure the encryption was.