| | 1 | + | # Bookmark Knocking: Hidden Bookmarks Without a Browser Extension |
| | 2 | + | |
| | 3 | + | Click special bookmarks in the right order to open a hidden link. |
| | 4 | + | |
| | 5 | + | - [Try the demo](https://jstrieb.github.io/projects/hidden-bookmarks/#demo) |
| | 6 | + | |
| | 7 | + | --- |
| | 8 | + | |
| | 9 | + | # Introduction |
| | 10 | + | |
| | 11 | + | Imagine that you want to propose to your partner, but they sometimes use your |
| | 12 | + | computer. You don't want them to see that you are bookmarking wedding rings. |
| | 13 | + | What do you do? |
| | 14 | + | |
| | 15 | + | Alternatively, imagine you live with someone abusive. You decide to get help, |
| | 16 | + | so you look for resources on the Internet. There are helpful links, but you |
| | 17 | + | know if you bookmark them and your abuser goes through your computer, they may |
| | 18 | + | find them. You can't install a hidden bookmark extension either, because they |
| | 19 | + | could just as easily notice that. What do you do? Unfortunately, this is a |
| | 20 | + | [realistic scenario for many |
| | 21 | + | people](https://www.nytimes.com/wirecutter/blog/domestic-abusers-can-control-your-devices-heres-how-to-fight-back/). |
| | 22 | + | |
| | 23 | + | Almost a year ago, I created [Link Lock](https://jstrieb.github.io/link-lock) |
| | 24 | + | -- a tool to enable anyone to securely password-protect URLs. But adding a |
| | 25 | + | password to links isn't always enough. |
| | 26 | + | |
| | 27 | + | Link Lock relies on strong cryptography for security, but sometimes a layer of |
| | 28 | + | obscurity is a practical necessity. In other words, there are some situations |
| | 29 | + | where a bookmark that asks for a password is too suspicious to be useful, even |
| | 30 | + | if the password protection is secure. |
| | 31 | + | |
| | 32 | + | Bookmark knocking is a novel technique to address this problem. It enables |
| | 33 | + | users to hide bookmarks using features already built into every web browser. |
| | 34 | + | There are two versions available: |
| | 35 | + | |
| | 36 | + | - [A stable, simplified version integrated directly into Link |
| | 37 | + | Lock](https://jstrieb.github.io/link-lock/hidden/) |
| | 38 | + | - [An experimental |
| | 39 | + | version](https://jstrieb.github.io/projects/hidden-bookmarks/#demo), designed |
| | 40 | + | to test the limits of the idea |
| | 41 | + | |
| | 42 | + | |
| | 43 | + | # How It Works |
| | 44 | + | |
| | 45 | + | Bookmark knocking is similar to [port |
| | 46 | + | knocking](https://en.wikipedia.org/wiki/Port_knocking), for which it was named. |
| | 47 | + | A user who wants access to a hidden link must know to click the right bookmarks |
| | 48 | + | in the right "knock sequence." If they do this, they will be redirected to the |
| | 49 | + | hidden page. |
| | 50 | + | |
| | 51 | + | The concept relies on storing encrypted data about the hidden link in the [URL |
| | 52 | + | fragment](https://en.wikipedia.org/wiki/URI_fragment) or "hash." This is the |
| | 53 | + | part of the URL that comes after a `#`, and typically takes a user to some spot |
| | 54 | + | in the middle of the page. |
| | 55 | + | |
| | 56 | + | In this case, the hash contains a |
| | 57 | + | [base64](https://en.wikipedia.org/wiki/Base64)-encoded |
| | 58 | + | [JSON](https://en.wikipedia.org/wiki/JSON) object. The object consists of the |
| | 59 | + | [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-encrypted |
| | 60 | + | secret URL and the currently-attempted knock sequence. The knock sequence |
| | 61 | + | attempt is stored as a string of characters, and is used as a passphrase to |
| | 62 | + | try decrypting the secret link after each knock. |
| | 63 | + | |
| | 64 | + | When one of the special knock sequence bookmarks is clicked, it runs JavaScript |
| | 65 | + | to check if the current URL fragment is base64-encoded JSON with the required |
| | 66 | + | information. If not, it redirects to the user-specified decoy bookmark link. If |
| | 67 | + | so, it adds some static characters to the current passphrase attempt string and |
| | 68 | + | tries to decrypt the hidden link using the newly-modified passphrase. |
| | 69 | + | |
| | 70 | + | If decryption succeeds, it redirects to the now-decrypted, no-longer-hidden |
| | 71 | + | link. On the other hand, if this attempt fails, it redirects to the bookmark |
| | 72 | + | link that it normally would, but with a URL fragment containing updated |
| | 73 | + | information about the latest attempt. Then the user can perform the next knock |
| | 74 | + | in the sequence, and the process repeats. |
| | 75 | + | |
| | 76 | + | Since it is perfectly valid to have an arbitrary hash at the end of a typical |
| | 77 | + | URL, the bookmark behaves normally if the knock sequence is incorrect or |
| | 78 | + | incomplete. The only distinguishing feature of the decoy bookmark URLs is the |
| | 79 | + | presence of a long, nonsensical fragment, which wouldn't alarm most people. |
| | 80 | + | |
| | 81 | + | ## Link Lock Version |
| | 82 | + | |
| | 83 | + | The simplified version of bookmark knocking built into Link Lock only supports |
| | 84 | + | two knocks. There is one universal second knock for any valid first knock. Then |
| | 85 | + | the hidden link prompts for a password. This two-knock version provides a |
| | 86 | + | practical level of privacy, without compromising on usability or security. |
| | 87 | + | |
| | 88 | + | |
| | 89 | + | <!-- |
| | 90 | + | In port knocking, a user who attempts connections to closed ports is granted |
| | 91 | + | access if they connect to the correct ports in the correct order. For bookmark |
| | 92 | + | knocking, a user who clicks certain, otherwise-normal bookmarks in the right |
| | 93 | + | order is redirected to a hidden link. |
| | 94 | + | --> |
| | 95 | + | |
| | 96 | + | |
| | 97 | + | |
| | 98 | + | # Who It Is For |
| | 99 | + | |
| | 100 | + | Software security claims are only valid relative to a well-defined threat |
| | 101 | + | model. In this case, the software aims to be secure against family and friends, |
| | 102 | + | not agencies. |
| | 103 | + | |
| | 104 | + | In other words, links protected with bookmark knocking (as implemented here) |
| | 105 | + | will be difficult to notice for most people, let alone crack. But the |
| | 106 | + | protection *can* be noticed by an astute observer, and *can* be broken by a |
| | 107 | + | determined adversary. (The keyspace is extremely small. Assume any attacker |
| | 108 | + | with all of the bookmarks in the knock sequence and the ability to brute force |
| | 109 | + | AES-GCM-encrypted data will successfully uncover your hidden link. On the other |
| | 110 | + | hand, if you hide a Link Lock URL, the hidden link will be securely |
| | 111 | + | password-protected.) |
| | 112 | + | |
| | 113 | + | Despite shortcomings, bookmark knocking is still a useful part of |
| | 114 | + | defense-in-depth. For more serious security, use the version built into [Link |
| | 115 | + | Lock](https://jstrieb.github.io/link-lock/). |
| | 116 | + | |
| | 117 | + | **Don't forget to use private browsing or incognito mode when accessing hidden |
| | 118 | + | links, otherwise the secret links are stored in your browser history, and the |
| | 119 | + | protection is worthless!** |
| | 120 | + | |
| | 121 | + | Example use cases: |
| | 122 | + | |
| | 123 | + | - Hide private links from other users of a shared computer |
| | 124 | + | - Prevent embarrassing bookmarks from being accidentally opened during a |
| | 125 | + | live-stream, video call, or demonstration |
| | 126 | + | - Access a secret link without typing in a password (if there is concern about |
| | 127 | + | keyloggers or other [stalkerware](https://en.wikipedia.org/wiki/Stalkerware)) |
| | 128 | + | - Create a fun riddle or prank for the owner of a computer you gain access to |
| | 129 | + | - Discreetly save personal bookmarks to a work computer |
| | 130 | + | |
| | 131 | + | |
| | 132 | + | |
| | 133 | + | # Known Issues |
| | 134 | + | |
| | 135 | + | If you have ideas for how to address the following problems, or want to discuss |
| | 136 | + | others, please [open an issue on |
| | 137 | + | GitHub](https://github.com/jstrieb/link-lock/issues/new) or use my [contact |
| | 138 | + | form](https://jstrieb.github.io/about#contact). |
| | 139 | + | |
| | 140 | + | - Generated bookmarks are prefixed with `javascript:` and therefore cannot have |
| | 141 | + | favicons. As such, they're not perfectly identical to a regular bookmark for |
| | 142 | + | the same site. |
| | 143 | + | - Websites that modify the URL fragment will screw up the bookmark knocking. |
| | 144 | + | These sites should not be used for steps in the knock sequence. Some examples |
| | 145 | + | include Gmail and Telegram. |
| | 146 | + | - Only tested with desktop Firefox and Chrome. Not tested with Safari, Edge, or |
| | 147 | + | on mobile devices. |
| | 148 | + | - Despite spending hours revising the instructions for the [Link Lock hidden |
| | 149 | + | bookmarks](https://jstrieb.github.io/link-lock/hidden/) page, it is still far |
| | 150 | + | from perfect. Making this idea easy to use and understand is very difficult. |
| | 151 | + | |
| | 152 | + | |
| | 153 | + | |
| | 154 | + | # For Abuse Victims |
| | 155 | + | |
| | 156 | + | This technology is designed to be helpful for anyone who needs more privacy |
| | 157 | + | than they feel they have, but it cannot guarantee anything. You are the expert |
| | 158 | + | in your own situation, and you need to judge if it is appropriate to use this |
| | 159 | + | software. If you are in a dangerous situation, please seek help. |
| | 160 | + | |
| | 161 | + | From a [New York Times |
| | 162 | + | Article](https://www.nytimes.com/wirecutter/blog/domestic-abusers-can-control-your-devices-heres-how-to-fight-back/) |
| | 163 | + | on technology and domestic abuse: |
| | 164 | + | |
| | 165 | + | > If you are in immediate danger, call 911. |
| | 166 | + | > |
| | 167 | + | > If your calls are being tracked, call your local services hotline, like 211 |
| | 168 | + | > or 311, and ask to be transferred to a local resource center. |
| | 169 | + | > |
| | 170 | + | > If you or someone you know is in an abusive relationship or has been sexually |
| | 171 | + | > assaulted, call the [National Sexual Assault |
| | 172 | + | > Hotline](https://www.rainn.org/get-help/national-sexual-assault-hotline) at |
| | 173 | + | > 800-656-HOPE or the [National Domestic Violence |
| | 174 | + | > Hotline](https://www.thehotline.org/) at 800-799-SAFE (you can also [chat |
| | 175 | + | > live with an advocate at |
| | 176 | + | > NDVH](https://www.thehotline.org/what-is-live-chat/), or text LOVEIS to |
| | 177 | + | > 22522). |
| | 178 | + | |
Jacob Strieb
committed
3 years ago
1 parent 09fb92a7