i  The question of trust

Who and what do you trust if you use this app? First of all, you trust me* and my professionalism. You trust that the app has been designed to work properly and that all its sub-components are also designed by professional and well-meaning people.

You trust that AES is a reliable cryptographic method and that there exists no practical way to break it. You trust that the estimates of quantum computing resilience in this table hold for AES, PBKDF2, and the SHA-256 PDF* hash function used by the PBKDF2. Note that this app uses even longer passwords and more iterations of PBKDF2 than the estimates in the table.

You trust the Domain Name Service* and DNSSEC* that authenticates* the name crypt-app.net, and the Certificate Trans­parency* ecosystem. You trust the hosting provider*, the protection of its servers, and that the app's code is sent from the website to your device unchanged. You trust that the network connection is authenticated and encrypted to the best available standards. You trust that your web browser works correctly, does not contain malicious code, and that the cryptographic primitives in the browser are implemented correctly. You trust that your system is not infected with any malicious software that could interfere with the app's operation on the browser or operating system level and that there are no side-channel attacks PDF* in progress.

Automated means can check some of the above to a certain extent. An easy way to check the technical integrity of any website (whether the domain name is signed, whether the site uses modern security settings, etc.) is to use a tool provided by the Dutch Internet Standards Platform* at internet.nl NEW TAB*. Another tool is a free service provided by the ImmuniWeb SSL/TLS Security Test*, which checks whether a service meets the Payment Card Industry Data Security Standard (PCI DSS) compliance require­ments FREE REG PDF*, the U.S. Health Insurance Portability and Account­ability Act (HIPAA) requirements*, and the U.S. National Institute of Standards and Technology (NIST) guidelines PDF*. The urlscan.io* is a free service to scan and analyze websites. When a URL is submitted to it, an automated process will browse to the URL like a regular user and record the activity that this page navigation creates.

The trustworthy operation of your own device is essential: use an updated version of your browser, use only trusted plug-ins or extensions, install all necessary updates to your operating system, and keep your anti-malware software up to date.

BACK