| 1 | + | # Bookmark Knocking: Hidden Bookmarks Without a Browser Extension |
| 2 | + | |
| 3 | + | Click special bookmarks in the right order to open a hidden link. |
| 4 | + | |
| 5 | + | - [Try the demo](https://jstrieb.github.io/projects/hidden-bookmarks/#demo) |
| 6 | + | |
| 7 | + | --- |
| 8 | + | |
| 9 | + | # Introduction |
| 10 | + | |
| 11 | + | Imagine that you want to propose to your partner, but they sometimes use your |
| 12 | + | computer. You don't want them to see that you are bookmarking wedding rings. |
| 13 | + | What do you do? |
| 14 | + | |
| 15 | + | Alternatively, imagine you live with someone abusive. You decide to get help, |
| 16 | + | so you look for resources on the Internet. There are helpful links, but you |
| 17 | + | know if you bookmark them and your abuser goes through your computer, they may |
| 18 | + | find them. You can't install a hidden bookmark extension either, because they |
| 19 | + | could just as easily notice that. What do you do? Unfortunately, this is a |
| 20 | + | [realistic scenario for many |
| 21 | + | people](https://www.nytimes.com/wirecutter/blog/domestic-abusers-can-control-your-devices-heres-how-to-fight-back/). |
| 22 | + | |
| 23 | + | Almost a year ago, I created [Link Lock](https://jstrieb.github.io/link-lock) |
| 24 | + | -- a tool to enable anyone to securely password-protect URLs. But adding a |
| 25 | + | password to links isn't always enough. |
| 26 | + | |
| 27 | + | Link Lock relies on strong cryptography for security, but sometimes a layer of |
| 28 | + | obscurity is a practical necessity. In other words, there are some situations |
| 29 | + | where a bookmark that asks for a password is too suspicious to be useful, even |
| 30 | + | if the password protection is secure. |
| 31 | + | |
| 32 | + | Bookmark knocking is a novel technique to address this problem. It enables |
| 33 | + | users to hide bookmarks using features already built into every web browser. |
| 34 | + | There are two versions available: |
| 35 | + | |
| 36 | + | - [A stable, simplified version integrated directly into Link |
| 37 | + | Lock](https://jstrieb.github.io/link-lock/hidden/) |
| 38 | + | - [An experimental |
| 39 | + | version](https://jstrieb.github.io/projects/hidden-bookmarks/#demo), designed |
| 40 | + | to test the limits of the idea |
| 41 | + | |
| 42 | + | |
| 43 | + | # How It Works |
| 44 | + | |
| 45 | + | Bookmark knocking is similar to [port |
| 46 | + | knocking](https://en.wikipedia.org/wiki/Port_knocking), for which it was named. |
| 47 | + | A user who wants access to a hidden link must know to click the right bookmarks |
| 48 | + | in the right "knock sequence." If they do this, they will be redirected to the |
| 49 | + | hidden page. |
| 50 | + | |
| 51 | + | The concept relies on storing encrypted data about the hidden link in the [URL |
| 52 | + | fragment](https://en.wikipedia.org/wiki/URI_fragment) or "hash." This is the |
| 53 | + | part of the URL that comes after a `#`, and typically takes a user to some spot |
| 54 | + | in the middle of the page. |
| 55 | + | |
| 56 | + | In this case, the hash contains a |
| 57 | + | [base64](https://en.wikipedia.org/wiki/Base64)-encoded |
| 58 | + | [JSON](https://en.wikipedia.org/wiki/JSON) object. The object consists of the |
| 59 | + | [AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard)-encrypted |
| 60 | + | secret URL and the currently-attempted knock sequence. The knock sequence |
| 61 | + | attempt is stored as a string of characters, and is used as a passphrase to |
| 62 | + | try decrypting the secret link after each knock. |
| 63 | + | |
| 64 | + | When one of the special knock sequence bookmarks is clicked, it runs JavaScript |
| 65 | + | to check if the current URL fragment is base64-encoded JSON with the required |
| 66 | + | information. If not, it redirects to the user-specified decoy bookmark link. If |
| 67 | + | so, it adds some static characters to the current passphrase attempt string and |
| 68 | + | tries to decrypt the hidden link using the newly-modified passphrase. |
| 69 | + | |
| 70 | + | If decryption succeeds, it redirects to the now-decrypted, no-longer-hidden |
| 71 | + | link. On the other hand, if this attempt fails, it redirects to the bookmark |
| 72 | + | link that it normally would, but with a URL fragment containing updated |
| 73 | + | information about the latest attempt. Then the user can perform the next knock |
| 74 | + | in the sequence, and the process repeats. |
| 75 | + | |
| 76 | + | Since it is perfectly valid to have an arbitrary hash at the end of a typical |
| 77 | + | URL, the bookmark behaves normally if the knock sequence is incorrect or |
| 78 | + | incomplete. The only distinguishing feature of the decoy bookmark URLs is the |
| 79 | + | presence of a long, nonsensical fragment, which wouldn't alarm most people. |
| 80 | + | |
| 81 | + | ## Link Lock Version |
| 82 | + | |
| 83 | + | The simplified version of bookmark knocking built into Link Lock only supports |
| 84 | + | two knocks. There is one universal second knock for any valid first knock. Then |
| 85 | + | the hidden link prompts for a password. This two-knock version provides a |
| 86 | + | practical level of privacy, without compromising on usability or security. |
| 87 | + | |
| 88 | + | |
| 89 | + | <!-- |
| 90 | + | In port knocking, a user who attempts connections to closed ports is granted |
| 91 | + | access if they connect to the correct ports in the correct order. For bookmark |
| 92 | + | knocking, a user who clicks certain, otherwise-normal bookmarks in the right |
| 93 | + | order is redirected to a hidden link. |
| 94 | + | --> |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | # Who It Is For |
| 99 | + | |
| 100 | + | Software security claims are only valid relative to a well-defined threat |
| 101 | + | model. In this case, the software aims to be secure against family and friends, |
| 102 | + | not agencies. |
| 103 | + | |
| 104 | + | In other words, links protected with bookmark knocking (as implemented here) |
| 105 | + | will be difficult to notice for most people, let alone crack. But the |
| 106 | + | protection *can* be noticed by an astute observer, and *can* be broken by a |
| 107 | + | determined adversary. (The keyspace is extremely small. Assume any attacker |
| 108 | + | with all of the bookmarks in the knock sequence and the ability to brute force |
| 109 | + | AES-GCM-encrypted data will successfully uncover your hidden link. On the other |
| 110 | + | hand, if you hide a Link Lock URL, the hidden link will be securely |
| 111 | + | password-protected.) |
| 112 | + | |
| 113 | + | Despite shortcomings, bookmark knocking is still a useful part of |
| 114 | + | defense-in-depth. For more serious security, use the version built into [Link |
| 115 | + | Lock](https://jstrieb.github.io/link-lock/). |
| 116 | + | |
| 117 | + | **Don't forget to use private browsing or incognito mode when accessing hidden |
| 118 | + | links, otherwise the secret links are stored in your browser history, and the |
| 119 | + | protection is worthless!** |
| 120 | + | |
| 121 | + | Example use cases: |
| 122 | + | |
| 123 | + | - Hide private links from other users of a shared computer |
| 124 | + | - Prevent embarrassing bookmarks from being accidentally opened during a |
| 125 | + | live-stream, video call, or demonstration |
| 126 | + | - Access a secret link without typing in a password (if there is concern about |
| 127 | + | keyloggers or other [stalkerware](https://en.wikipedia.org/wiki/Stalkerware)) |
| 128 | + | - Create a fun riddle or prank for the owner of a computer you gain access to |
| 129 | + | - Discreetly save personal bookmarks to a work computer |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | # Known Issues |
| 134 | + | |
| 135 | + | If you have ideas for how to address the following problems, or want to discuss |
| 136 | + | others, please [open an issue on |
| 137 | + | GitHub](https://github.com/jstrieb/link-lock/issues/new) or use my [contact |
| 138 | + | form](https://jstrieb.github.io/about#contact). |
| 139 | + | |
| 140 | + | - Generated bookmarks are prefixed with `javascript:` and therefore cannot have |
| 141 | + | favicons. As such, they're not perfectly identical to a regular bookmark for |
| 142 | + | the same site. |
| 143 | + | - Websites that modify the URL fragment will screw up the bookmark knocking. |
| 144 | + | These sites should not be used for steps in the knock sequence. Some examples |
| 145 | + | include Gmail and Telegram. |
| 146 | + | - Only tested with desktop Firefox and Chrome. Not tested with Safari, Edge, or |
| 147 | + | on mobile devices. |
| 148 | + | - Despite spending hours revising the instructions for the [Link Lock hidden |
| 149 | + | bookmarks](https://jstrieb.github.io/link-lock/hidden/) page, it is still far |
| 150 | + | from perfect. Making this idea easy to use and understand is very difficult. |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | # For Abuse Victims |
| 155 | + | |
| 156 | + | This technology is designed to be helpful for anyone who needs more privacy |
| 157 | + | than they feel they have, but it cannot guarantee anything. You are the expert |
| 158 | + | in your own situation, and you need to judge if it is appropriate to use this |
| 159 | + | software. If you are in a dangerous situation, please seek help. |
| 160 | + | |
| 161 | + | From a [New York Times |
| 162 | + | Article](https://www.nytimes.com/wirecutter/blog/domestic-abusers-can-control-your-devices-heres-how-to-fight-back/) |
| 163 | + | on technology and domestic abuse: |
| 164 | + | |
| 165 | + | > If you are in immediate danger, call 911. |
| 166 | + | > |
| 167 | + | > If your calls are being tracked, call your local services hotline, like 211 |
| 168 | + | > or 311, and ask to be transferred to a local resource center. |
| 169 | + | > |
| 170 | + | > If you or someone you know is in an abusive relationship or has been sexually |
| 171 | + | > assaulted, call the [National Sexual Assault |
| 172 | + | > Hotline](https://www.rainn.org/get-help/national-sexual-assault-hotline) at |
| 173 | + | > 800-656-HOPE or the [National Domestic Violence |
| 174 | + | > Hotline](https://www.thehotline.org/) at 800-799-SAFE (you can also [chat |
| 175 | + | > live with an advocate at |
| 176 | + | > NDVH](https://www.thehotline.org/what-is-live-chat/), or text LOVEIS to |
| 177 | + | > 22522). |
| 178 | + | |