Link Lock now supports secure, hidden bookmarks via bookmark knocking! Read more here.
Link Lock is a tool for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock retrieves the original URL and then redirects there. Otherwise, an error is displayed. Users can also add hints to display near the password prompt.
Each encrypted URL is stored entirely within the link generated by the application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups.
Link Lock has many uses:
Link Lock uses AES in GCM mode to securely encrypt passwords, and PBKDF2 and
salted SHA-256 (100,000 iterations) for secure key derivation. Encryption,
decryption, and key derivation are all performed by the
initialization vector is randomized by default, but the salt is not.
Randomization of both the initialization vector and salt can be enabled or
disabled by the user via "advanced options." The salt and initialization vector
are sent with the encrypted data if they are randomly generated. The API is
versioned such that old encrypted links will always work, even if later
versions of Link Lock are updated to be more secure. Please read the code
particular) for more information.
Read the Hacker News discussion here.
The code was written to be read. Please read it, especially if you don't trust me to build a secure encryption application. In particular:
Link Lock can be used to evade censorship. If you are concerned that sending
links with the
jstrieb.github.io domain name will put you at risk, just
replace the domain with another. For example, share
Any domain can be used in place of
wikipedia.org. That way, a malicious
third-party who clicks the altered link will be taken to a valid page, which
helps alleviate suspicion. When sharing the password to unlock the link,
explain how to switch out the domain name with either
jstrieb.github.io/link-lock, or with the path to a local clone of Link Lock.
Using a local copy is particularly recommended for evading censorship, since no
request to my domain is ever made.
Alternatively paste the altered link directly into the decrypt
page. This page does not check
the domain name of the pasted link, only the "fragment" (the part after the
#). So, for example, the Wikipedia link above can be pasted directly in there
and decrypted without changing the domain.
Using a local copy of URL Pages is also recommended. Entire web pages can be shared safely and secretly this way.
This project is actively maintained. If there are no recent commits, it means that everything has been running smoothly! Even if the link storage protocol is updated, Link Lock is designed to be 100% backwards-compatible, so your locked links will never break.
Even if something were to happen to me, and I could not continue to work on the project, Link Lock will continue to work as long as my GitHub account is open and the jstrieb.github.io domain is online.
Thank you to those who offered feedback on this program before its release. Thanks also to the Hacker News second-chance pool.
Thanks to @IAmMandatory for discovering a reflected XSS vulnerability resulting from allowing non-hypertext protocols in the URL. The vulnerability has since been fixed.
Thank you to Guillaume (@gverdun) for translating Link Lock into French, and hosting a translated version. Likewise, thanks to Nele Hirsch (@eBildungslabor) for translating and hosting a German version, and to Piotr Wereszczyński (@YourSenseiCreeper) for translating and hosting a Polish version.
There are a few things you can do to support the project:
These things motivate me to to keep sharing what I build, and they provide validation that my work is appreciated! They also help me improve the project. Thanks in advance!
If you are insistent on spending money to show your support, I encourage you to instead make a generous donation to one of the following organizations. By advocating for Internet freedoms, organizations like these help me to feel comfortable releasing work publicly on the Web.