In security, snake oil is a name for the exaggerated claims made by vendors. Cryptography experts have compared the exaggerated claims made by some vendors to the claims made by medicine show pitchmen in mid-19th century America, who bragged of secret ingredients much as today's marketers brag of secret proprietary algorithms.Content Continues Below
Commentators note that both the snake oil pitchman and the snake oil cryptographer may actually have a legitimate product worthy of purchase if the product's capabilities were not overstated. In mid-19th century America, snake oil was an alternative medicine used by Chinese immigrants working on the trans-continental railroad. The oil seemed to be effective in treating the aches and pains incurred from hard manual labor. European railroad workers learned of snake oil's healing properties first-hand and began to tell others. Entrepreneurs saw there was a market for snake oil and began to promise consumers that the magic Chinese elixir could cure just about anything that was wrong with them. "Snake oil" rapidly became a synonym for "fraudulent" or "bogus" and people forgot that it had once had a valuable, though limited, use.
Matt Curtin, who is credited with applying the term to computer security products, advises buyers to beware of top-secret products that promise unbreakable algorithms and to avoid any vendor who has a "trust us, we know what we're doing" approach to questions. According to Curtin, public scrutiny of an algorithm by mathematicians and other cryptographers is the best way to ensure an algorithm cannot be broken within a reasonable time frame.