i  The question of trust

Who and what do you trust if you use this application? First of all, you trust me* and my professionalism. You trust that the app has been designed to work properly and that all its sub-components are also designed by professional and well-meaning people.

You trust that AES is a reliable cryptographic method and there does not exist any practical method to break it. You trust that the estimates of quantum computing resilience in this table hold for AES, PBKDF2, and the SHA-256 PDF* hash function used by the PBKDF2. Note that this app uses even longer passwords and more iterations of PBKDF2 than the estimates in the table.

You trust that the hosting provider has not interfered with the app's code and that it will be transferred from the web server to your device unchanged. You trust that the server (or servers) on which the app resides are adequately protected. You trust that the network connection used to transfer the app to your device is authenticated and encrypted to the best available standards. You trust that your web browser works correctly, does not contain malicious code, and that the cryptographic primitives in the browser are implemented correctly. You trust that your browser or operating system is not infected with malicious software.

Some of the above can be checked to a certain extent by automated means. An easy way to check the technical integrity of any website (whether the domain name is signed, whether the site uses modern security settings, etc.) is to use a tool provided by the Dutch Internet Standards Platform* at internet.nl NEW TAB*. Another tool is a free service provided by the ImmuniWeb SSL/TLS Security Test*, which checks whether a service meets the Payment Card Industry Data Security Standard (PCI DSS) compliance requirements PDF*, the U.S. Health Insurance Portability and Accountability Act (HIPAA) requirements*, and the U.S. National Institute of Standards and Technology (NIST) guidelines PDF*. The urlscan.io* is a free service to scan and analyze websites. When a URL is submitted to it, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates.

For the trustworthy operation of your own device, it is essential that you use a properly updated version of your browser without unnecessary plug-ins or extensions, install all necessary updates to your operating system, and keep your anti-malware software up to date.

BACK