SecurePut

FAQ

Questions and Answers

What is this program?

This software allows your phone to securely type on your other devices. This is great for unlocking password managers. Some users might also consider purchasing a hardware dongle (e.g. in order type passwords for disk encryption).

What happens when I scan the QR code (or tap the NFC)?

In general, similar to Bluetooth pairing, when you scan the QR code on the device with your phone, you are authorizing your phone (and only your phone) to send instructions to your device. More specifically, this QR code contains a unique identity that this program will use for its lifetime. Your phone has also generated such an identity of its own. Upon scanning, these two identities are registered as being authorized to send messages to each other. This registered pair information is stored on our server. The security lies in the fact that the QR code also contained a secret code which remains solely on your own devices. This way, the server does not understand the messages, nor can it send its own messages, they are rejected by your devices if they do not decrypt with the expected secret.

How is it secure?

• All communication is encrypted. The websocket connection to the signaling server is encrypted with standard HTTPS/TLS. The WebRTC connection for the peer-to-peer connection is encrypted with DTLS.
• When you scan the QR code, an encryption key is generated known only to the phone app and the desktop program. These are used to encrypt messages sent over the network, both the websocket and WebRTC (both of which are already encrypted). The key never leaves your device.
• The weak point is the phone and desktop apps carrying the secret or having displayed it optically via the QR code during pairing. Make sure you do this privately, and if you have doubts use the button to generate a new one, or reset pairing at any time through the user interface.
• A hypothetical server hack is irrelevant due to its limited role as a dumb switchboard.
• Passwords are never stored, nor do they have opportunity to be stored. Encrypted keystroke instructions travel directly between the phone and desktop app which are the only entities which can decrypt the messages. (Per #1, the medium which these encrypted messages travel on is also encrypted.

What if you're hacked?

TLDR; The hackers would be unable to do anything other than disrupt service.

No server can be perfectly secure. If our signaling server is hacked (this is the server that enables your phone to see this device over the internet in order to establish the peer-to-peer connection reliably through firewalls), this has no effect other than loss of service while we fix the disruption. I will explain how by describing more of the architecture: When you scan the QR code, a special secret is stored on your phone. Only the desktop program (which generated the QR) and your phone (which read the QR) know this secret. The phone (or the hacker pretending to be the phone, or the hacker that took over the server) cannot read these messages without knowing the secret, which has never left your device. Compromising the server does not reveal this secret, the server is merely a dumb switchboard. The only way to get the secret is to compromise your phone's storage or your desktop's storage. The server does not have any important data, it is merely the matchmaker or centralized faclitator such that the two devices can find each other to have their intended conversation.