Crypto is not like other features of a web application. With most other features, it can be mostly working and have a few bugs, but still be useful and functional. Bugs can be ironed out over the course of time.
Crypto is in a very real sense all-or-nothing. You either get it right, or you get it wrong. There is no inbetween. Given a weakness, the best attacks almost inevitably drop from requiring O(2^keylen) operations to something along the lines of O(messagelen) operations.
Worse, it is often very difficult to dig yourself out from a deep cryptographic hole that you've gotten yourself into. If you've done it right, you won't be able to do things like rehash user passwords without the user actually supplying his/her password. You won't be able to reencrypt data with new algorithms until the user supplies his/her key. And if you haven't thought ahead and added proper metadata to identify the algorithms and encodings you've used, your migration to any new architecture is going to be a massive pain in the ass. And even in the best case scenario, you will never be able to "upgrade-in-place" the algorithms and approaches you've used for users who've gone dormant. Worse again, if anyone has already gained access to encrypted data before you began the process of upgrading, they have literally an indefinite period of time with which to attack it.
Bad cryptography almost always implies a lack of people with a real cryptographic background. And that implies that at least one of: they don't value security as much as you think they do, or they actually think they know what they're doing and are utterly mistaken. Neither of which bodes well for real long-term solutions, and hints to an endless game of exploit whack-a-mole.
Everything I've read about the cryptography used in Mega leads me to believe it was implemented by well-intentioned amateurs who have tragically fallen victim to the Dunning-Kruger effect. Their use of cryptography amounts to little more than advanced cryptographic voodoo — their approach is to cryptography what Deepak Chopra's approach is to quantum mechanics. It's little more than advanced cryptographic voodoo. I'll note also that they seem to be taking the exact stance you seem to be advocating: just writing glue around a sound cryptographic core. Except their glue code is pitifully insecure, combines primitives in nonstandard or cryptographically unsound ways, and uses primitives for operations they were never intended for and aren't suited for.
Crypto is in a very real sense all-or-nothing. You either get it right, or you get it wrong. There is no inbetween. Given a weakness, the best attacks almost inevitably drop from requiring O(2^keylen) operations to something along the lines of O(messagelen) operations.
Worse, it is often very difficult to dig yourself out from a deep cryptographic hole that you've gotten yourself into. If you've done it right, you won't be able to do things like rehash user passwords without the user actually supplying his/her password. You won't be able to reencrypt data with new algorithms until the user supplies his/her key. And if you haven't thought ahead and added proper metadata to identify the algorithms and encodings you've used, your migration to any new architecture is going to be a massive pain in the ass. And even in the best case scenario, you will never be able to "upgrade-in-place" the algorithms and approaches you've used for users who've gone dormant. Worse again, if anyone has already gained access to encrypted data before you began the process of upgrading, they have literally an indefinite period of time with which to attack it.
Bad cryptography almost always implies a lack of people with a real cryptographic background. And that implies that at least one of: they don't value security as much as you think they do, or they actually think they know what they're doing and are utterly mistaken. Neither of which bodes well for real long-term solutions, and hints to an endless game of exploit whack-a-mole.
Everything I've read about the cryptography used in Mega leads me to believe it was implemented by well-intentioned amateurs who have tragically fallen victim to the Dunning-Kruger effect. Their use of cryptography amounts to little more than advanced cryptographic voodoo — their approach is to cryptography what Deepak Chopra's approach is to quantum mechanics. It's little more than advanced cryptographic voodoo. I'll note also that they seem to be taking the exact stance you seem to be advocating: just writing glue around a sound cryptographic core. Except their glue code is pitifully insecure, combines primitives in nonstandard or cryptographically unsound ways, and uses primitives for operations they were never intended for and aren't suited for.
TL;DR, bad cryptography is forever.