Remix.run Logo
stymaar 4 days ago

> A cryptosystem is incoherent if its implementation is distributed by the same entity which it purports to secure against.

This is both true, and also useless: pretty much any E2E system is falling under this definition.

By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

That doesn't mean it's snake oil though, as the entity you want protection against is generally not the software provider but a third party. Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

It also means you are safe from data leaks, which are by far the most common threat today.

No system can be secure unconditionally, it's always secure under a particular threat model. And in practice “the attacker is able to deploy arbitrary code on your behalf for an extended period of time without being detected ” is a much narrower attack surface than “the attacker is able to obtain read-only access to your DB or your backups for at least a few minutes”. In the former case, the encryption being broken is also the least of your concern, as you've basically given remote access to all of your user's devices at this point…

sneak 3 days ago | parent | next [-]

> This is both true, and also useless: pretty much any E2E system is falling under this definition.

This is not true. I can build Signal from source from GitHub, and use Signal-the-service with the client (which did not come from Signal, but GitHub/my compiler).

Many cryptosystems are like this. In any case, if you are getting something from the App Store, you can get it once and disable autoupdates, which prevents the service provider (presuming they are the same as the people who published the app) from backdooring you at some point in the future. Alternately, even with updates, unless Apple is colluding with them to serve only you* a specific backdoored app, you can at least be reasonably confident that it's not specifically backdooring only you* in an undetectable fashion.

stymaar 3 days ago | parent | next [-]

> This is not true. I can build Signal from source from GitHub

Sure, but can you find an NSA-designed backdoor in the source code?

> you can get it once and disable autoupdates

Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync. Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?

What you describe may be possible for an intelligence agency, but completely out of reach for an individual.

> unless Apple is colluding with them

Given the most likely adversary is the US intelligence with a warrant, it's absolutely not far fetched to assume that in your threat model.

> you can at least be reasonably confident that it's not specifically backdooring only you

That's not really reassuring…

tptacek 3 days ago | parent | next [-]

Now the argument is shifting. It started out as "a cryptosystem can't be secured from the entity in control of its supply", and now it's "a cryptosystem can't be secured even given its source code because the NSA".

stymaar 3 days ago | parent [-]

It's not shifting. It doesn't need to be the NSA, intelligence agencies are just, by far, the most likely attackers against Signal.

tptacek 3 days ago | parent [-]

It's not the identity of the agency that makes the argument so slippery!

stymaar 3 days ago | parent [-]

Do you seriously think that the average Joe is able to find a backdoor, planted by anyone, in a piece of software they aren't familiar with?

Because that what quite literally the claim I was arguing with in the first place.

tptacek 3 days ago | parent [-]

I don't really agree with much of anything you've said in this thread, but the only thing I'm pointing out here is that your argument has shifted and is chugging heartily towards non-falsifiability.

stymaar 3 days ago | parent [-]

No the argument hasn't shifted. The core point is that any time you use a piece of software, you have to have some level of trust towards the entity that gave you the said piece of software.

The way I responded to one particular example “what if I download Signal and compile it myself” is just that a particular example, not a shift in argument.

If you think there's no trust assumption in the distribution of software, feel free to provide actual arguments to refute that argument of mine, because so far your comments have been disappointingly lacking in substance.

subscribed 3 days ago | parent | prev [-]

>> This is not true. I can build Signal from source from GitHub

> Sure, but can you find an NSA-designed backdoor in the source code?

You're moving the goalpost. They were responding to the claim suggesting it's impossible to get non-Signal provided signal.

>> you can get it once and disable autoupdates

> Try doing that with Signal, and you'll be unable to connect to the main network in just a few days because you get out of sync.

That's demonstrably false. On one of my idle/backup phones I'm using Signal 8.8.2, released in April 2026, almost 3 full months ago. It can not only connect to the network but everything works, with every contact.

You might think of the official Signal client expiration, but that's client side (meaning that you can compile and use the version that doesn't have it) and..... 90 days, not "a few".

I don't have a concrete number for the server side of enforcement though (minimumVersions seems to be populated at start time, with the defaults not committed to the repo). It's not entirely unreasonable to assume that the lowest official supported version is the one that introduced the concept of usernames, and the only meaningful capability test is SPQR.

> Also, what do you do if there's a high severity CVE on the program? You still don't update or you re-audit all the new code?

I think disabling auto update was shown as a possible strategy against a silent, targeted auto update. Not a way to remain protected against the general CVEs.

Non sequitur.

stymaar 3 days ago | parent [-]

> You're moving the goalpost. They were responding to the claim suggesting it's impossible to get non-Signal provided signal.

That was never my claim. The claim is that you cannot protect youself from Signal being malicious if Signal is the maker of the software. Compiling the software yourself doesn't help against the kind of adversary in the threat model.

> That's demonstrably false. On one of my idle/backup phones I'm using Signal 8.8.2, released in April 2026, almost 3 full months ago. It can not only connect to the network but everything works, with every contact.

Lucky you, you only need to fully audit the codebase every 3 months.

I'm using the Signal apk directly so I'm painfully aware of the frequency of the breakages.

> I think disabling auto update was shown as a possible strategy against a silent, targeted auto update. Not a way to remain protected against the general CVEs.

I don't think you understand my point. I'm not talking about the CVE being exploited against you. The CVE will just push you to download the compromised update, breaking your “security through lack of update” policy.

JacobKfromIRC 5 hours ago | parent [-]

Defense against Signal may not be total, but if you build from source (or use a reproducible build) you can check to be pretty sure you have the same software as everyone else, in which case a backdoor would have to be in a public version of Signal, which means any backdoor has a chance of getting discovered.

Backdoors can be well-hidden, but this is the kind of software that people look for vulnerabilities in [1]. This gives a lot less flexibility to any potential backdoor.

Additionally, someone could decide to write a new Signal client from scratch, designed to be compatible with the original server. Such a client would probably be less secure overall, at least at first, but it couldn't have a backdoor inserted by Signal developers, since it wouldn't contain any Signal code. Since the original client also supports end-to-end encryption, a new client can be compatible with old clients.

[1] https://community.signalusers.org/t/overview-of-third-party-...

hamburglar 3 days ago | parent | prev [-]

If you get an open source app from the App Store, is there any assurance it actually reflects the code in the repo? I’d think the signing step happening in isolation opens the door to tomfoolery.

bigfatkitten 4 days ago | parent | prev | next [-]

One thing you can do is have your adversary put their money where their mouth is and use the very same products, sourced independently, that they use to protect their own sensitive information.

There are limits to this of course. You can’t buy a TACLANE[1], but you can buy many of the other products[2] USG uses to protect its own classified information.

[1] https://gdmissionsystems.com/encryption/taclane-network-encr...

[2] https://www.nsa.gov/resources/Commercial-Solutions-for-Class...

crote 3 days ago | parent [-]

The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

A more modern example is probably the NSA aggressively pushing[3] for replacing classical encryption with post-quantum encryption, rather than taking the more conservative and probably-more-secure approach of layering the two - while at the same time mandating the use of two layers of those same algorithms for their own use[4]!

[0]: https://en.wikipedia.org/wiki/NOBUS

[1]: https://en.wikipedia.org/wiki/Clipper_chip

[2]: https://en.wikipedia.org/wiki/Dual_EC_DRBG

[3]: https://blog.cr.yp.to/20251004-weakened.html

[4]: https://defense-solutions.curtisswright.com/capabilities/tec...

bigfatkitten 3 days ago | parent | next [-]

> The obvious counterexample is NOBUS[0] vulnerabilities, and intentional backdoors like the Clipper Chip[1] or Dual_EC_DRBG[2]: if you genuinely believe you are the only one who could possibly exploit it, there's no reason to avoid using it.

The problem with these examples is that they weren't used in national security systems, which are the systems for which NSA has a legislated defensive responsibility.

Clipper was designed for use by the public; it was not intended to ever be used to protect classified (or even sensitive unclassified) information at all.

Likewise with Dual_EC_DRBG. The CSfC component requirements drew from the Common Criteria Protection Profiles, where Dual_EC_DRBG was never an option.

tptacek 3 days ago | parent | prev | next [-]

The NSA isn't aggressively pushing for PQC; the industry is. Note that the PQC standard we have was the product of a competition won by European academic cryptographers.

adrian_b 3 days ago | parent [-]

That is not what the comment to which you replied said.

There is a consensus about pushing PQC and about the PQC standard.

The dispute is about something else, about whether the current Diffie-Hellman based key establishment algorithms should be immediately and completely replaced by PQC (which is what NSA pushes), or to be more prudent and use for some time both methods (so that the key exchange cannot be broken when any of the 2 algorithms is broken), to afford more time for gaining confidence in the standardized PQC algorithms, until eventually one might decide that it is reasonable to omit the current algorithms.

What NSA wants reduces somewhat the costs, but not by much, because PQC is much more expensive, so most of the cost is determined by it and not by the classic algorithms, even when they are used together, and also because keeping the current algorithms does not require any development work, as there are mature implementations in SW or in HW for all applications. The opponents argue that this small cost reduction is not worthwhile, because it eliminates the serious risks that flaws may be discovered later in the current PQC standards.

Moreover what NSA wants would complicate the protocols, because many would not accept the risks of the NSA variant, so it would remain optional to omit the classic algorithms, increasing the number of choices in the protocol, which is always undesirable in security protocols.

tptacek 3 days ago | parent [-]

No, I'm very clear on what the question was asking, and it is not in fact "NSA" driving this process.

This is 100% Daniel Bernstein drama. Bernstein is upset that the NIST contest selected MLKEM (Kyber). He's been running a yearslong crusade to impeach the standard, up to and including opposition to lattice cryptography writ large, despite himself signing on to a lattice entrant (SNTRUP) to the PQC competition.

Over the last several months, the focal point of this crusade has been the IETF TLS Working Group, where Bernstein has been canvassing opposition to an RFC that will establish code points and documentation for pure, non-hybrid MLKEM TLS. Few systems in the near future are likely to use pure MLKEM TLS, but there are conceivable systems that we can foresee needing the option: for instance, embedded systems like smart meters that do ECC today, and could do MLKEM if it was urgently needed because of a CRQC, but couldn't practically do both.

The arguments being made on TLSWG are in spectacularly bad faith. People have varying levels of confidence in pure MLKEM (the closer your job title is to "cryptography engineer", the more likely it is you think hybrids are silly). But outside of the federal government itself, nobody in the entire world is being forced to use pure MLKEM; the entire controversy is about documenting what TLS would look like if you needed pure MLKEM.

The "NSA" stuff is just more innuendo.

Apart from bytes on the wire, MLKEM is not in fact "much more expensive" than 25519. Also, you have the maturity argument wrong; it's not a concern that risks/flaws will be discovered "in the standards".

cassonmars 3 days ago | parent [-]

Your argument would be far more charitable if NIST had not already been caught pushing a broken standard at the behest of the NSA before. DJB might be combative and somewhat caustic, but the one thing he's never been, given enough time in the retrospect to show it, is wrong.

tptacek 2 days ago | parent [-]

The logic you're using here would be just as valid in a campaign against SHA2. More valid, in fact, because unlike MLKEM, which was designed by European academic cryptographers, the NSA actually designed SHA2.

charcircuit 3 days ago | parent | prev [-]

>Dual_EC_DRBG

There is no hard evidence that it was backdoored.

ranger_danger 3 days ago | parent [-]

> As part of its efforts to foil Web encryption, the National Security Agency inserted a backdoor into a 2006 security standard adopted by the National Institute of Standards and Technology, the federal agency charged with recommending cybersecurity standards. Credit Patrick Semansky/Associated Press

https://archive.nytimes.com/bits.blogs.nytimes.com/2013/09/1...

Even if you believe they're lying, or think that it's impossible to know because it may be a kleptographic backdoor... the latter at least is understood to be a unique property that most other algorithms do not share, so I think for that reason alone it's enough to assume it is backdoored, insofar as that we should tell people to stay away from it regardless.

charcircuit 3 days ago | parent [-]

There is no source in the article to support that claim, it links to another article where it merely says that people suspected it of being backdoored, but those people had no proof either. There are objective reasons why it's not a good idea to use compared to better algorithms, but I wish the reasoning was not solely based off of a conspiracy theory or hate for the NSA.

xg15 3 days ago | parent | prev | next [-]

> Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

You don't need E2E for that, using https/TLS for transport and servers hosted in the US would be enough.

ranger_danger 3 days ago | parent | next [-]

Anyone using reverse proxies, CDNs or anti-DDoS services already voluntarily give full MITM privileges of their unencrypted data to companies like CloudFlare, Amazon, Akamai, Fastly, etc., which is most of the top sites on the internet and a large percentage of the overall internet traffic.

stymaar 3 days ago | parent | prev [-]

It will be enough until the server is pwnd and the data is leaked to the world.

Data breaches happen literally every day.

xg15 3 days ago | parent [-]

But that's OP's point. If the server is pwned, the hackers can simply change the front-end of the app and have it send the confidential data to wherever after it was decrypted on the client.

stymaar 3 days ago | parent [-]

See what I wrote above:

> in practice “the attacker is able to deploy arbitrary code on your behalf for an extended period of time without being detected ” is a much narrower attack surface than “the attacker is able to obtain read-only access to your DB or your backups for at least a few minutes”. In the former case, the encryption being broken is also the least of your concern, as you've basically given remote access to all of your user's devices at this point…

Data breach occur every day, rootkits being covertly deployed in production apps for a substantial period are much rarer. E2ee only protects against the former, like a safety belt only prevent you from frontal shocks. Nobody would say they are snake oil because of that.

tarpitt 3 days ago | parent [-]

I would say that they are snake oil because of that. Data breaches occur more often than rootkits because most developers see that this path adding easily-removable encryption does nothing in the long run.

stymaar 3 days ago | parent [-]

> Data breaches occur more often than rootkits because most developers see that this path adding easily-removable encryption does nothing in the long run.

That logic makes no sense. A rootkit is much more valuable than a data breach (because it gives you access to a compromised device), the reason why you don't see more of them is because it's much harder to pull off, not because people don't use e2ee…

(For instance, if you can replace an e-commerce website's code with your own, you get access to the user's payment information, which you can't usually get from their DB since it's generally handled by the payment processor, or to the user's plaintext password…)

echoangle 3 days ago | parent | prev | next [-]

> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

Well that’s just wrong, just make it open source and do reproducible builds

adirelle 3 days ago | parent | prev | next [-]

> the entity you want protection against is generally not the software provider but a third party.

This. The author is dismissing the whole web-based cryptography, or any end-to-end cryptography for that matter, on the basis of a one-dimension analysis.

upofadown 3 days ago | parent | next [-]

But claiming that your system is end to end encrypted means that you are claiming protection from you and your system. This is mainly a truth in advertising issue.

stymaar 3 days ago | parent [-]

> means that you are claiming protection from you and your system.

Not necessarily. I push for e2ee everywhere I can for a completely different reason: when (not “if”, “when“) we get breached, we cannot leak sensitive data we don't have.

tarpitt 3 days ago | parent [-]

The problem is that your system can be changed at any time such that you can have the information.

stymaar 3 days ago | parent [-]

Only if you manage to deploy malicious code and have it stay there undetected. But in practice this is much harder than having access to a DB or a backup for a few minutes (that's all it takes to leak data).

(Just as an example, at my current employer, out of 8 people in the company, there are 8 people who have credentials that permit at least some db access in one way or the other (anyone that has at least one of this job: customer support, account managers, data scientists, devs). There are only 3 people who can push changes to production, and you need 2 out of 3 to do so, and all of three get paged when a release happen. Of course it's not infallible, but the probability of the app being corrupted is orders of magnitude lower than the DB being breached, by the mere scale of the number of people who have access to these things. And again, you only need transient access to the data to leak it, when you need persistent access to do damage by corrupting the code. Most companies I worked for had an even worse ratio between people having access to some sensitive data and people having the ability to push corrupted code in production).

sscaryterry 3 days ago | parent | prev [-]

The article is nothing but a rant.

earth-tattoo 3 days ago | parent | next [-]

Craigslist used to have a Rants & Raves section for exactly these kind of things. I think they still have, but in old times it used to be so happening! Maybe hacker news needs to have one.

tarpitt 3 days ago | parent | prev [-]

Your comment is merely a comment and not an argument

ignoramous 3 days ago | parent | prev | next [-]

> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

There are levels to this (hermetic/reproducible builds & attestations, as one example). In fact, TFA is harsh for the only case it wants to make an example out of, WhatsApp Web:

  Code Verify works in partnership with Cloudflare, a web infrastructure and security company, to provide independent, third-party, transparent verification of the code you're being served on WhatsApp Web. We hope this gives at-risk users peace of mind. 
https://blog.cloudflare.com/cloudflare-verifies-code-whatsap... & https://engineering.fb.com/2022/03/10/security/code-verify/
xg15 3 days ago | parent | prev | next [-]

> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

That's not completely true. If I can control when (and if!) the software updates and if there is some kind of vetting process to verify that the version I'm currently running does not contain a backdoor, I can treat it like a third party with respect to the server.

I agree with you though that most current software that are made to auto-update at any time without any oversight do not fall under this umbrella. Web apps definitely don't fall under it.

SoftTalker 3 days ago | parent [-]

> if there is some kind of vetting process to verify that the version I'm currently running does not contain a backdoor

This would be extremely difficult, I would say impossible from a practical standpoint.

rstuart4133 3 days ago | parent | next [-]

> This would be extremely difficult, I would say impossible from a practical standpoint.

It's not only practical and possible, it's so common it even has a name in software engineering circles: change control. It boils down to this: you delay installing the software until it's been reviewed, tested and deployed by others. Or as Linus would put it, until the many eyeballs have had their say.

As for "the person in control of the platform": the solution is to remove some of that control. You make new versions of the software available for anonymous download, so the provider has no idea who is upgrading. All open source distributions provide their software in that way. No proprietary platforms I'm aware of do, because they want a "billing relationship" with the customer. Once downloads are anonymous, the owner of the software can't target individuals with a tailored Trojan Horse binary. Everyone gets the same binary, and so there are lots of eyeballs looking at it.

The final piece of the puzzle is reproducible builds, which ensures the many eyeballs can see the code use to build the binary.

All this has been around for a while now, so it's largely a solved problem in open source distributions. The problem with web-based cryptography is it isn't managed like an open source distribution. Downloads aren't anonymous, the source isn't available or signed, and it changes so fast change control isn't possible. So yeah, as things stand it's snake oil. But it doesn't have to be - it's just the way things are now.

1718627440 2 days ago | parent | prev [-]

Calculating a hash and comparing against reproducible builds doesn't seem to complicated.

delusional 3 days ago | parent | prev | next [-]

> Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

Framing this in terms of governmental espionage is nonsensical. Using e2e from a US-based entity makes you completely sure that the US government is spying on you, because they assert direct control over the software you are running. There is no venue to seek justice against an unlawful contract if the government is in on it.

You should instead take a step back into reality and consider data misuse by normal non-government actors. Facebook claiming e2e encryption is a contractual matter, that you can litigate. That's where the actual protection is. That's also why real business demands not "unbreakable encryption" but reliable marker for access and tampering. It is much more useful to have a record of who accessed the data, than a claim that it's impossible.

tptacek 3 days ago | parent | next [-]

I think the whole US vs. non-US thing is total crap and there's nothing you can reasonably do with it in any direction, but I always think it's important to point out that US signals intelligence can lawfully compromise foreign communications; that's literally their chartered purpose.

stymaar 2 days ago | parent | next [-]

> I think the whole US vs. non-US thing is total crap

It's not. US companies can be subpoenaed in the US.

> I always think it's important to point out that US signals intelligence can lawfully compromise foreign communications; that's literally their chartered purpose.

Of course they can. But it's significantly easier to get a warrant to target a company under US jurisdiction.

tptacek 2 days ago | parent [-]

Foreign companies don't have to be subpoenaed. NSA can simply break in and take whatever they want, lawfully. In light of that, the warrant point you're making doesn't make sense: they don't need a warrant to go after foreign assets.

stymaar 2 days ago | parent [-]

> NSA can simply break in

You can't be serious …

The NSA can break in the same way the Mossad can assassinate you anywhere in the world. That doesn't mean it's a it's going to happen anytime soon unless you're an exceptionally high priority target. Authorities getting legal access to your personal informations from US companies on the other hand is routine practice. Equating the two is a crazy take.

By the way, you read the argument completely backwards in the first place: the original argument was that even if using an American company means the US law enforcement have full access to your data if they want to, your data is still pretty safe from anyone else there (unless, of course, if you are a high priority target again).

See the original sentence:

> Using e2e from a US-based entity means you are prone to spying from the US government, but at least you know you're reasonably secure against the IRGC, the Chinese intelligence service, the FSB, and so on.

Saying someone's argument is “total crap” without even having taken enough time to properly read the sentence you're criticizing is kinda lame IMHO.

tptacek 2 days ago | parent [-]

I am 100% dead serious and I kind of don't understand the rebuttal you're trying to write here.

stymaar 2 days ago | parent [-]

“Cryptography is useless because governments agencies will kidnap you and hit you with a wrench” isn't the hill I expected you to die on TBH.

> I kind of don't understand the rebuttal you're trying to write here.

Fill free to make the effort to read it (again).

tptacek 2 days ago | parent [-]

I have no idea who you're responding to because nobody on this thread has made that argument.

stymaar 2 days ago | parent [-]

Maybe if you made your point straight instead of making laconic remarks this discussion would be more constructive…

All I got from your few words is that apparently you consider the NSA breaking into a random foreign app a reasonable threat model to design around. Abduction from the CIA being only marginally more unlikely, why bother with anything?

Or maybe I misunderstood your point but then again when you can't bother writing down two consecutive sentences how am I supposed to read your mind?

tptacek 2 days ago | parent [-]

I can't help you with any of this, but again: the argument you made about cryptography and jurisdiction, nobody on this thread has taken the other side of.

stymaar 2 days ago | parent [-]

It's getting outright fascinating, why do you even stick in this conversation if you don't want to engage in it with more than one ambiguous sentence at a time?

delusional 3 days ago | parent | prev [-]

> there's nothing you can reasonably do with it in any direction

I wholeheartedly agree. That's why bringing nation state threats into these kinds of discussions is so pointless. If you want security from governments, the amount of security work you have to do is so far beyond what any reasonable person is willing to endure that it makes no sense to talk about on hackernews. That stuff is for real professional discussions at real professional congresses.

kasey_junk 3 days ago | parent | prev [-]

Your access records are only as good as your ability to prevent someone from making unauthorized access.

eptcyka 3 days ago | parent | prev | next [-]

> By definition you can't protect yourself from the entity that provides you the software you use, because you have now way to guarantee that they aren't going to backdoor you.

But with repro builds and system transparency, hiding backdoors is impractical.

sandeepkd 3 days ago | parent [-]

Not really, time and time again people have abused their position/influence to build backdoors almost into everything for good or bad reasons. The whole idea of third party audits was to ensure that there are checks and balances. Then again the auditors are lowest paid to get stuff done and they take word of the company for most part.

On other hand its quite natural, security is not really getting you direct revenue so business is least motivated in investing it or say continuously investing in it. The ones that do are doing partial lip service for most part.

tptacek 3 days ago | parent [-]

Really? "Time and time again", "almost everything"? Make a list!

conartist6 3 days ago | parent | prev | next [-]

It's not useless, I don't think.

If the software is open source and you only install new versions after their source code has been audited, you should be ok.

teravor 3 days ago | parent | prev | next [-]

a website can serve you a keylogger client and no one will ever know most likely, harder to do with binaries/sources

upofadown 3 days ago | parent | prev [-]

>...pretty much any E2E system is falling under this definition.

The definition is quite clear. It does not apply when the implementation is not distributed by the same entity that creates it for example. There are other related issues but the message here is that web based cryptography has a particular weakness when it comes to things like end to end encrypted messaging which makes it so bad as to be worthless.

stymaar 3 days ago | parent [-]

> The definition is quite clear. It does not apply when the implementation is not distributed by the same entity that creates it for example.

How can you be sure that the entity distributing the software didn't backdoor it?

> the message here is that web based cryptography has a particular weakness when it comes to things like end to end encrypted messaging

There's literally no substance about that claim in TFA.