// Comparison

Real-World Cryptography vs The Tangled Web: Which Should You Read?

Two cybersecurity books on AppSec, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

5/52021

David Wong

David Wong's hands-on tour of the cryptographic primitives, protocols and pitfalls that show up in actual production systems, with deliberate attention to TLS, Noise, modern AEAD, and post-quantum.

Advanced

5/52011

The Tangled Web

A Guide to Securing Modern Web Applications

Michal Zalewski

The deepest book ever written on the strange, accreted security model of the web browser.

Read this if

Working engineers who need to make crypto decisions in real systems: AEAD ciphers, key exchange, signatures, password hashing, PKI, end-to-end encryption, post-quantum migration. The new modern default and the book we recommend first to almost anyone touching cryptography in production.

Anyone who builds, attacks, or audits browser-based systems and wants to know why the rules are the way they are.

Skip this if

Cryptography researchers or readers wanting full mathematical proofs. The math is bounded to what an engineer needs to evaluate choices, not full constructions. For the next layer of depth read Serious Cryptography after this.

Beginners, Zalewski assumes you've already touched the surface and want the substrate. Start with PortSwigger Academy first.

Key takeaways

Most crypto vulnerabilities are misuse, not broken primitives; Wong's framing of "what to use, what to avoid" is the cleanest in print.
TLS 1.3, Noise, and Signal-style protocols compose primitives in patterns engineers should recognise on sight, this book teaches the patterns.
Post-quantum cryptography is no longer optional reading; the book introduces the lattice and hash-based constructions you'll be deploying within a few years.

The web's security model is not designed; it is excavated.
Origins, schemes, and trust boundaries are the only real abstractions; everything else is a leaky negotiation.
Specifications and reality diverge constantly, and the divergence is where bugs live.

How they compare

Real-World Cryptography and The Tangled Web are both rated 5/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Real-World Cryptography is pitched at intermediate level. The Tangled Web is pitched at advanced level. Read the easier one first if you're not yet comfortable with the topic.

Real-World Cryptography and The Tangled Web both cover AppSec, so reading them in sequence reinforces the same material from different angles.

Keep reading

Real-World Cryptography

→ Alternatives to Real-World Cryptography → What to read after Real-World Cryptography