info/trust.html

Last modified Fri Sep 10 12:13:37 UTC 2021


<!DOCTYPE html>
<html lang="en">
<head>
	<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> 
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<title>The question of trust | Safe Crypt App</title>
	<link rel="canonical" href="https://crypt-app.net/info/trust.html" />
	<link rel="stylesheet" href="../assets/css/info.css">
</head>
<body>

	<h1><span class="circle">i</span>&nbsp; The question of trust</h1>
	
	<div class="hyphenate">
	<p>
		Who and what do you trust if you use this app?
		First of all, you trust <a href="https://petri.kutvonen.net">me</a><span class="linkout">*</span>
		and my professionalism. 
		You trust that the app has been designed to work properly and that all its
		sub-components are also designed by professional and well-meaning people.
	</p>
	<p>
		You trust that <a href="aes-256-gcm.html">AES</a> is a reliable cryptographic method and
		that there exists no practical way to break it.
		You trust that the estimates of quantum computing resilience in this
		<a href="../assets/img/quantum-resilience.png">table</a>
		hold for AES, <a href="aes-256-gcm.html">PBKDF2</a>,
		and the		
		<a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf">SHA-256</a><span class="pdf">&nbsp;PDF</span><span class="linkout">*</span>
		hash function used by the PBKDF2.
		Note that this app uses even longer passwords and more iterations of PBKDF2 than the estimates in the table.
	</p>
	<p>
		You trust the 
		<a href="https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts">
		Domain Name Service</a><span class="linkout">*</span> and
		<a href="https://go.icann.org/DNSSEC">DNSSEC</a><span class="linkout">*</span> that 
		<a href="https://dnsviz.net/d/crypt-app.net/dnssec/">authenticates</a><span class="linkout">*</span>
		the name <a href="https://crypt-app.net/">crypt-app.net</a>, and
		the <a href="https://certificate.transparency.dev/howctworks/">Certificate Trans&shy;parency</a><span class="linkout">*</span> ecosystem.
		You trust the <a href="https://www.digitalocean.com/about/">hosting provider</a><span class="linkout">*</span>,
		the protection of its servers, and that the app's code 
		is sent from the website to your device unchanged.

		You trust that the network connection 
<!--		used to transfer the app to your device -->
		is authenticated and encrypted to the best available standards. 
		You trust that your web browser works correctly, does not
		contain malicious code, and that the cryptographic primitives in the
		browser are implemented correctly. 

		You trust that your system is not infected with any malicious software
		that could interfere with the app's operation on the browser or operating system level
		and that there are no 
<!--		<a href="https://doi.org/10.1109%2FEuroSP.2016.29">side-channel attacks</a><span class="obs">&nbsp;PAYWALL</span><span class="linkout">*</span> -->
<!--		<a href="https://sci.bban.top/pdf/10.1109/eurosp.2016.29.pdf#view=FitH">side-channel attacks</a><span class="pdf">&nbsp;PDF</span><span class="linkout">*</span> -->
		<a href="https://www.cse.iitb.ac.in/archive/internal/techreports/reports/TR-CSE-2016-78.pdf">side-channel attacks</a><span class="pdf">&nbsp;PDF</span><span class="linkout">*</span>
		in progress.
	</p>
	<p>
		Automated means can check some of the above to a certain extent.
		An easy way to check the technical integrity of any website
		(whether the domain name is signed, whether the site uses modern security settings, etc.) 
		is to use a tool provided by the Dutch
		<a href="https://www.internet.nl/about/">Internet Standards Platform</a><span class="linkout">*</span> at
		<a href="https://internet.nl/site/crypt-app.net" target="_blank">internet.nl</a><span class="obs">&nbsp;NEW&nbsp;TAB</span><span class="linkout">*</span>.
		Another tool is a free service provided by the
		<a href="https://immuniweb.com/ssl/">ImmuniWeb SSL/TLS Security Test</a><span class="linkout">*</span>, 
		which checks whether a service meets the Payment Card
		Industry Data Security Standard (PCI DSS) 
		<a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">compliance require&shy;ments</a><span
			class="obs">&nbsp;FREE&nbsp;REG</span><span class="pdf">&nbsp;PDF</span><span class="linkout">*</span>,
		the U.S. Health Insurance Portability and Account&shy;ability Act (HIPAA)
		<a href="https://www.hhs.gov/hipaa/for-professionals/breach-notification/guidance/index.html">requirements</a><span class="linkout">*</span>, 
		and the U.S. National Institute of Standards and Technology (NIST) 
		<a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf">guidelines</a><span class="pdf">&nbsp;PDF</span><span class="linkout">*</span>.
		The <a href="https://urlscan.io">urlscan.io</a><span class="linkout">*</span>
		is a free service to scan and analyze websites.
		When a URL is submitted to it, an automated process will browse to the URL like a regular user
		and record the activity that this page navigation creates.
	</p>
	<p>
		The trustworthy operation of your own device is essential: 
		use an updated version of your browser, 
		use only trusted plug-ins or extensions, 
		install all necessary updates to your operating system,
		and keep your anti-malware software up to date.
	</p>
	</div>

	<div class="back"><a href="./index.html">BACK</a></div>
</body>
</html>