"For example, maybe I want to upload a file to a server, and I trust them not to try to steal my data, but I don't trust my government not to confiscate their servers. In that case, SSL + browser cryptography is adequate to give me the assurances I need that the government won't be able to get access to my data, even if the service's engineers could."
If the government might have the ability to confiscate their servers they also have the ability to compromise their service during use. So, if you don't trust your government you can't trust their servers either, regardless of whether you trust the service's engineers or not.
That's the thing - you don't actually have to trust the servers to the same extent. You can look at and verify any JavaScript and CSS and HTML that the server's sending you, manually if necessary, but there's absolutely no way of telling what code the remote server is running.
This actually matters for sites like Mega. There have been previous examples of file storage services falsely promising that all your files would be encrypted and their staff would be unable to access them, for example Dropbox. If all services use server-side crypto there is no way to tell the difference between a service that lies about this and one that's honest. With Mega it's possible - not easy, but possible - to check exactly what kind of encryption is being applied and where it's getting the keys from. You have to go through every bit of content manually with a fine-toothed comb to be sure, of course, and there are various ways to obfuscate things, but it's still better than not being able to see the code at all.
> That's the thing - you don't actually have to trust the servers to the same extent. You can look at and verify any JavaScript and CSS and HTML that the server's sending you, manually if necessary, but there's absolutely no way of telling what code the remote server is running.
You can verify the JS, CSS and HTML only for a specific request and only if you have sufficient knowledge, meaning you have studied cryptography and even then it will take a lot of time because it is not possible to not verify that code manually.
This offers no additional security at all for anyone but the most paranoid cryptography experts.
> This offers no additional security at all for anyone but the most paranoid cryptography experts.
This is not much different from how everything else works. Hopefully the expert criptographers release tools to help the uninformed masses use stuff or at least break the news is some bad shit starts going on.
If the government might have the ability to confiscate their servers they also have the ability to compromise their service during use. So, if you don't trust your government you can't trust their servers either, regardless of whether you trust the service's engineers or not.