End-to-end encryption (E2EE) has become widely adopted in messaging applications, cloud storage, and password managers. Fundamentally, such applications require secrets, e.g., decryption keys, that must never leave the client to achieve their security guarantees. Native applications are typically packaged and distributed in a way that allows them to be effectively audited before installation. In contrast, client-side Web application code is distributed ephemerally by Web servers. A malicious, coerced, or compromised Web server can, at any time, deliver code that exfiltrates client-side secrets without leaving traces. Thus, without a mechanism for verifying the integrity of client-side Web applications and blocking unexpected or malicious client-side code before it is executed, true E2EE cannot be implemented in Web applications. We survey five popular and representative Web application integrity verification tools and find that current solutions only partially address real-world threats. During our analysis, we identified several common pitfalls in existing tools that undermine their security guarantees. For each identified pitfall, we present concrete attack scenarios. Overall, we discovered and responsibly disclosed over a dozen bugs that allowed secret exfiltration across all tools. Building on these insights, we propose a novel design for client-side code integrity verification that systematically improves the state-of-the-art. Our proof-of-concept extension exhaustively verifies a client-side Web application while blocking modified resources, thereby preserving the guarantees of E2EE. We demonstrate the viability and practicality of our approach through integration with real-world Web applications built using various frameworks.
The Web Conference (WWW)
2026-04-12
2026-06-24