Threat Model

Precisely understand what ITYLOS protects, and especially, what it cannot prevent.

Why a Threat Model?

No system is infallible. In cybersecurity, trust comes from transparency. The Threat Model defines the scope of ITYLOS effectiveness. It clearly exposes the attack vectors the platform is designed to resist, as well as the technical limits where liability falls back to the user and their environment (endpoint).

🛡️ What ITYLOS protects (In-Scope)

Our protocol was specifically designed to counter threats related to data retention and network interception during secret sharing.

Threats neutralized by the protocol

  • Network interception (MitM) The transport of the encrypted envelope or sharing link is protected by standard TLS 1.3 (HTTPS) preventing passive eavesdropping.
  • Server data leak (Data Breach) If ITYLOS databases were compromised, the attacker would only recover totally undecipherable AES-256-GCM blobs (Zero-Knowledge). The key is never stored.
  • Extended retention & History mining Neutralized by the irreversible deletion of the capsule after the first read or its temporal expiration. The secret does not linger for years in mailboxes or chats.
  • Subsequent access by a third party If a person accesses the sender's or recipient's computer after the reading event, the link will already be "burned" (Error 404 - Not Found).
  • Data alteration in transit The GCM mode of the AES algorithm guarantees the authenticity and integrity of the capsule. If the envelope is fraudulently modified on the network, decryption will fail locally and the secret will not be displayed.

Security assumptions (Trust Model)

ITYLOS operation relies on certain prerequisites regarding your environment. If these assumptions are false, the security of the transmission is compromised.

What we consider "Sound"

  • Le poste client (Endpoints) The sender's and recipient's physical device is not compromised by malware, a keylogger, or spyware.
  • Browser integrity The browser used for encryption/decryption is not altered by malicious extensions capable of reading local memory or form fields.
  • Web Crypto API implementation The pseudo-random number generator (CSPRNG) provided by the operating system and browser works correctly and generates mathematically strong entropy.
  • Le canal de distribution du lien The sender manages to deliver the link (the URL containing the #key fragment) to the legitimate recipient reliably, without immediate interception.
The inherent limitation of Web applications Unlike a compiled application installed on your computer, ITYLOS is a web application. Although we cannot decrypt your data, you must trust that the ITYLOS server delivers the legitimate JavaScript code at the precise moment of your visit. This is a universally accepted limitation for all browser-based cryptography tools.

⚠️ What ITYLOS does NOT protect (Limitations)

Cryptography does not solve human problems or flaws related to the execution environment (Endpoint). Here is what technically and deliberately falls outside our control.

Out-of-scope threats

  • Le facteur humain (Copie volontaire) We physically cannot prevent a recipient from copying and pasting the secret, using their system's screenshot tool, or taking a photo of the monitor with their phone (Analog Hole).
  • Phishing & Social Engineering If the sender is manipulated by an attacker and voluntarily transmits the generated link, the system will function normally and deliver the secret to the attacker.
  • Malware sur le poste (Endpoint Compromise) If malware reads the recipient browser's RAM while displaying the plaintext secret, transit encryption is of no use.
  • Interception du canal de distribution If the email or Slack message containing the ITYLOS link (with its key #key) is intercepted by a third party before the legitimate recipient clicks on it. (Tip: Add an optional password to the capsule and transmit it via a completely different channel, such as SMS).

🛑 Ce qu'ITYLOS n'est pas

It is crucial to choose the right tool for the right need. ITYLOS is designed for an extremely precise use case: ephemeral transmission (Fire and Forget).

Unsuitable uses

  • A global password manager Tools like Bitwarden or KeePass are designed to store your credentials persistently. ITYLOS is designed only to transmit them to someone else.
  • An asynchronous encrypted messenger For continuous and secure conversations requiring strong mutual authentication (Signal, Session, PGP), ITYLOS is not the right tool.
  • A collaborative cloud vault If you want to share a document that needs to be viewed, edited, or downloaded multiple times by multiple people over a long period, use a dedicated Zero-Knowledge cloud (such as Proton Drive or Tresorit).

Continue the security audit

Architecture

How local encryption works technically.

Security Policy

Responsible disclosure and vulnerability reporting.

Public Registry

Access the real-time append-only cryptographic registry.

The Manifesto

Understand our philosophy on the digital right to be forgotten.