Projects STRLCPY link-lock Files
🤬
bruteforce Loading last commit info...
create
decrypt
.gitignore
LICENSE
README.md
api.js
b64.js
corner-ribbon-minified.svg
corner-ribbon.svg
favicon.ico
favicon.svg
index.html
index.js
style.css
README.md

Link Lock

Password-protect URLs using AES in the browser.

About

Link Lock is a tool for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock retrieves the original URL and then redirects there. Otherwise, an error is displayed. Users can also add hints to display near the password prompt.

Each encrypted URL is stored entirely within the link generated by the application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups.

Link Lock has many uses:

  • Store private bookmarks on a shared computer
  • Encrypt entire web pages (via URL Pages)
  • Send sensitive links over public or insecure channels (e.g., posting links to a public website that require a password to access)
  • Implement simple CAPTCHAs – particularly effective against basic web scrapers that do not respect robots.txt
  • Add a password to shared Dropbox or Google Drive links
  • Share password-protected magnet links and torrents

Link Lock uses AES in GCM mode to securely encrypt passwords, and PBKDF2 and salted SHA-256 (100,000 iterations) for secure key derivation. Encryption, decryption, and key derivation are all performed by the SubtleCrypto API. The initialization vector is randomized by default, but the salt is not. Randomization of both the initialization vector and salt can be enabled or disabled by the user via "advanced options." The salt and initialization vector are sent with the encrypted data if they are randomly generated. The API is versioned such that old encrypted links will always work, even if later versions of Link Lock are updated to be more secure. Please read the code (api.js in particular) for more information.

Read the Hacker News discussion here.

Examples

Disclaimer

The code was written to be read. Please read it, especially if you don't trust me to build a secure encryption application. In particular:

  • I am a college student, not a security professional – there may be best practices I am not aware of.
  • Once someone decrypts a link, they can share the original URL as much as they want. Only share encrypted links with trusted people.
  • I am not comfortable using JavaScript, and I don't have a firm grasp of the nuances of the language – there may be bugs that I don't even know to check for.
  • This is the first project I have ever done using encryption – there is likely a subtle mistake somewhere.
  • Most of the encryption/decryption code is based on MDN tutorials for the SubtleCrypto API.

Usage

  • Create a locked link here: https://jstrieb.github.io/link-lock.
  • Use the advanced options when creating a link to make the encryption more secure (at the cost of a longer link).
    • By default, the initialization vector is randomized for security, but this can be disabled, even though doing so is a vulnerability.
    • By default, the salt used to hash the password during key derivation is not randomized, but this can be enabled.
  • To bookmark a locked link, drag it from the output box to the bookmarks bar. Alternatively, visit the locked link and bookmark it before entering the password.
  • If you lose the password, it is almost impossible to recover the original link. The strong security guaranteed by encryption can be a blessing or a curse if you are not careful!
  • Currently, the only way to recover a lost password is by trying all possible options (very slowly) by brute force. An example application to brute force Link Lock URLs can be found here: https://jstrieb.github.com/link-lock/bruteforce.
  • If you receive a Link Lock URL that you do not trust, decrypt it using this interface that does not automatically redirect: https://jstrieb.github.com/link-lock/decrypt.

Acknowledgments

Thank you to those who offered feedback on this program before its release. Thanks also to the Hacker News second-chance pool.

Thanks to @IAmMandatory for discovering a reflected XSS vulnerability resulting from allowing non-hypertext protocols in the URL. The vulnerability has since been fixed.

Thank you to Guillaume (@gverdun) for translating Link Lock into French, and hosting a translated version.

Please wait...
Page is in error, reload to recover