Why?

SecretLink was created to address a problem that we see with current link shorteners.

Namely, sites like Dropbox, Sharepoint, Photo Sharing Sites, etc. can generate links to private content that only people with the URL can view.

While these links tend to have enough entropy to make them relatively private, some users unknowingly reduce entropy by sharing these links via link shorteners such as Bit.ly, Google URL Shortener, TinyURL, Ow.ly, FB.me, Twitter, and others.

These link shorteners will redirect anyone with a link to the full-length, original link.

There are crawlers and researchers and other entities who spend their time scanning these shortened links for various reasons. It’s for these reasons and more that secrecy of the underlying link is virtually non-existent in these systems.

SecretLink.io is not a Link Shortener, although many times it will result in a shortened URL. If you’d like a secret and shortened link, the resulting URLs from SecretLinks can be used in conjunction with any Link Shorteners to generate a truly shortened URL.

Benefits

  • Stop web crawlers and other agents from stumbling across your links.
    • Even if the crawler finds the URL they aren’t built to enter a password to proceed (even if they had it), therefore stopping them in their tracks.
  • Share a link publicly and give the password via private channels to intended recipients.
  • Create bookmark links for yourself that only you can access as you know the correct passphrase.

Security

  • All passwords are hashed with a randomly generated salt and the result is the key used to encrypt your link. Once stored, no one can retrieve your link without the appropriate password.
    • Even if our database is compromised it would be quite difficult to view a link without its password.
  • All API traffic secured by HTTPS/SSL.

Known Vulnerabilities

While we’ve taken precautions to ensure the security of your data at rest, we feel that it’s necessary to be up front about where we’re vulnerable.

  • We handle encryption and decryption on the server side. Therefore, on successful link creation and retrieval, the URL exists in it’s plaintext form.
    • It is at these boundary points that your URL could be captured, logged, transmitted, etc.
  • While we secure traffic from your browser to our servers, it is possible for an adversary to compromise our systems and monitor traffic in and out.

Roadmap

SecretLinks is in its first phase: establishing an MVP. Where it goes from here will be determined by usage patterns as well as user feedback (have ideas? let us know).