The Problem With Using End-to-End Web Crypto as a Cure-All

fsterman writes: Since the Snowden revelations, end-to-end web encryption has become trendy. There are browser add-ons that bolt a PGP client onto webmail and both Yahoo and Google are planning to support PGP directly. They attempt to prevent UI spoofing with icons similar to the site-authentication banks use to combat phishing.

The problem is that a decade of research shows that users habituate to these icons and come to ignore them. An attacker can pull off UI spoofing with a 90%+ success rate.

Webmail? You're doing it wrong

No one sends anything confidential via webmail. That's what local applications are for. They all support SMIME, which is what DOD uses, and they do it out of the box.

that's not what "end to end" means.

End to end = I encrypt on my computer, message is sent over possibly snooping middlemen, recipient decrypts on his or her computer.

End to end is NOT: some snooping middleman in the middle has the key and does the encryption "for" me.

The only way for someone to "spoof the UI" is to have control over my computer, and if they have that, all bets are off anyway.

There's nothing wrong with end to end encryption. There's something wrong with your definition.