Zero-trust services and web access (lemmy.ml)

submitted 1 day ago by Stopwatch1986@lemmy.ml to c/privacy@lemmy.ml

2 comments fedilink hide all child comments

Thinking about zero-trust, zero-knowledge services, I can see how using the open-source client means E2EE is guaranteed, assuming that the community checks the code of new client releases and that the binaries are not fiddled with.

Am I right thinking that if you use a web client instead then you don't realistically know if the code your browser is sent every time you access the service is compromised? The service may be independently audited, but isn't it conceivable that a person of interest may be specifically sent one-off compromising code to be executed in their browser (or web wrapper)? Eg Whatsapp, Megasync and many others have optional web clients for convenience. I think this may be why Mega advises against using their web access which they describe as less secure.

you are viewing a single comment's thread
view the rest of the comments

[-] Jason2357@lemmy.ca 2 points 23 hours ago

You are correct. That was the death kneel of a really cool e2e encrypted chat app that came before Signal/Text secure. I can't recall the name atm. You are relying on them wanting to avoid the reputational damage of getting caught (it would be trivial for a security researcher to compare two client apps and see the different JavaScript. Beyond that, yeah, they can serve you a compromised site one time and extract your keys.

[-] Stopwatch1986@lemmy.ml 1 points 23 hours ago

The implication is that sending links to encrypted files with the decryption key added to the URL (eg Thunderbird Send, Mega etc) is not zero-trust. Decryption may take place locally and the key part of the URL may not be sent to the file hosting service, but when the recipient clicks on the link and is served one-off code by the web site, that code may be compromised.

As we know, the best way to be sure is to do your own separate encryption but without secure-by-design most people will think you are very odd demanding that decryption is done separately and keys are shared through a different channel. Speaking from experience, no matter how much training they are given at work, most people, including HR, would rather you sent them sensitive documents (like passport scans) in the clear as email attachments or at least in a way that involves a single click (Wetransfer etc).

this post was submitted on 08 Jun 2026

8 points (100.0% liked)

Privacy

48961 readers

700 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS