July 5, 2026

Encrypted? Or just snake-charmed?

Web-based cryptography is always snake oil

Experts torch web encryption claims as commenters argue who’s fooling who

TLDR: The article claims web-based “end-to-end encryption” is fundamentally untrustworthy because the same company can change the code whenever it wants. Commenters split between “yes, obviously” and “that definition is so harsh it breaks half the internet,” turning the thread into a trust-no-one brawl.

The article came in swinging with a full flamethrower take: if a website gives you the very code that is supposed to protect you from that same website, then the whole “we can’t read your stuff” promise is basically a magic trick. In plain English, the author says web apps bragging about “end-to-end encryption” are selling security theater, not real safety — and even throws big names like WhatsApp and Signal into the blast zone. The spiciest accusation? That companies love this setup not because it truly protects users, but because it helps them shrug at government demands and say, “Sorry, nothing we can do!”

And the comments? Absolute food fight. Some readers nodded along hard, with one developer bluntly saying everyone already knows these services can secretly switch encryption off for a target “at any time.” Another commenter sarcastically pretended to be shocked that giant tech firms might care more about avoiding massive legal paperwork than about “human rights,” which is exactly the kind of dry roast the thread lived on.

But not everyone bought the doom-posting. Critics said the article’s definition of a broken system was so extreme it would make even privacy tools like Tor sound fake. Others pushed back that the web is not just one giant evil browser monoculture, pointing to different browsers and even a W3C proposal discussion as proof the debate is more complicated. Bottom line: the crowd agreed on one thing only — trust is the real battlefield, and everyone’s side-eyeing everyone.

Key Points

  • The article argues that web-based end-to-end encryption is fundamentally flawed because the server operator delivers the client-side code that performs the encryption.
  • The author proposes that a cryptosystem is "incoherent" when the same entity distributes the implementation and is also the party the system is supposed to protect users against.
  • The article says a malicious web service operator could change the JavaScript sent to users, defeating any claim that the encryption protects against that operator.
  • It extends the same criticism to proprietary non-web messaging services such as WhatsApp and Signal when the provider controls software distribution and restricts third-party clients.
  • The article claims companies adopt such encryption partly to reduce the burden of complying with warrants, subpoenas, and court orders by asserting they cannot access user data.

Hottest takes

"they were actually saving tens of millions in administrative litigation costs" — jdw64
"they could selectively turn it off for anyone, at any time" — jongjong
"too restrictive to be useful" — somezero
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.