Password-protect URLs using AES in the browser.
Link Lock now supports secure, hidden bookmarks via bookmark knocking! Read more here.
Link Lock is a tool for encrypting and decrypting URLs. When a user visits an encrypted URL, they will be prompted for a password. If the password is correct, Link Lock retrieves the original URL and then redirects there. Otherwise, an error is displayed. Users can also add hints to display near the password prompt.
Each encrypted URL is stored entirely within the link generated by the application. As a result, users control all the data they create with Link Lock. Nothing is ever stored on a server, and there are no cookies, tracking, or signups.
Link Lock has many uses:
- Store private bookmarks on a shared computer
- Encrypt entire web pages (via URL Pages)
- Send sensitive links over public or insecure channels (e.g., posting links to a public website that require a password to access)
- Implement simple CAPTCHAs โ particularly effective against basic web scrapers
that do not respect
robots.txt
- Add a password to shared Dropbox or Google Drive links
- Share password-protected magnet links and torrents
- Evade censorship
Link Lock uses AES in GCM mode to securely encrypt passwords, and PBKDF2 and
salted SHA-256 (100,000 iterations) for secure key derivation. Encryption,
decryption, and key derivation are all performed by the SubtleCrypto
API. The
initialization vector is randomized by default, but the salt is not.
Randomization of both the initialization vector and salt can be enabled or
disabled by the user via "advanced options." The salt and initialization vector
are sent with the encrypted data if they are randomly generated. The API is
versioned such that old encrypted links will always work, even if later
versions of Link Lock are updated to be more secure. Please read the code
(api.js
in
particular) for more information.
Read the Hacker News discussion here.
Clone HTTP/HTTPS
https://github.com/wahyu9kdl/link-lock.git
Clone GitHub CLI
gh repo clone wahyu9kdl/link-lock
LIVE PAGE
https://wahyu9kdl.github.io/link-lock/create/
EXAMPLE Link Excample
https://admin.alhikmah.my.id/
hint (optional)
admin alhikmah ๐จ๐ฅ๐กโฅ๏ธ password: alhikmah
password
alhikmah
Link Live
https://wahyu9kdl.github.io/link-lock/#eyJ2IjoiMC4wLjEiLCJlIjoiL2RLTGZyOUIzRit6RmQwU1RxQ2dCVk1YeWlWWU4zMTZVZjlTTTkrVFVxeDdkOVdqQm1SN1E0WUFHTjUyIiwiaCI6ImFkbWluIGFsaGlrbWFoIPCfjqjwn5al8J+boeKZpe+4jyBwYXNzd29yZDogYWxoaWttYWgiLCJzIjoiSEk2Qkhzc3ZMTDcrUXZ6dE95YTdsdz09IiwiaSI6ImdSVHg1cnM0a2IxRG5JQ20ifQ==
Architecture x64
- Download
# Create a folder
$ mkdir actions-runner && cd actions-runner# Download the latest runner package
$ curl -o actions-runner-osx-x64-2.291.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.291.1/actions-runner-osx-x64-2.291.1.tar.gz# Optional: Validate the hash
$ echo "1ed51d6f35af946e97bb1e10f1272197ded20dd55186ae463563cd2f58f476dc actions-runner-osx-x64-2.291.1.tar.gz" | shasum -a 256 -c# Extract the installer
$ tar xzf ./actions-runner-osx-x64-2.291.1.tar.gz
- Configure
# Create the runner and start the configuration experience
$ ./config.sh --url https://github.com/wahyu9kdl/link-lock --token AUB55YBFCW7GBJLQAOMT7G3CTBEWE# Last step, run it!
$ ./run.sh
- Using your self-hosted runner
# Use this YAML in your workflow file for each job
runs-on: self-hosted
For additional details about configuring, running, or shutting down the runner, please check out our product docs.
Architecture x64
- Download
We recommend configuring the runner under "\actions-runner". This will help avoid issues related to service identity folder permissions and long path restrictions on Windows.
# Create a folder under the drive root
$ mkdir actions-runner; cd actions-runner# Download the latest runner package
$ Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.291.1/actions-runner-win-x64-2.291.1.zip -OutFile actions-runner-win-x64-2.291.1.zip# Optional: Validate the hash
$ if((Get-FileHash -Path actions-runner-win-x64-2.291.1.zip -Algorithm SHA256).Hash.ToUpper() -ne '2a504f852b0ab0362d08a36a84984753c2ac159ef17e5d1cd93f661ecd367cbd'.ToUpper()){ throw 'Computed checksum did not match' }# Extract the installer
$ Add-Type -AssemblyName System.IO.Compression.FileSystem ; [System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD/actions-runner-win-x64-2.291.1.zip", "$PWD")
- Configure
# Create the runner and start the configuration experience
$ ./config.cmd --url https://github.com/wahyu9kdl/link-lock --token AUB55YDZ2E6RMNHZ4MG4FTDCTBENE# Run it!
$ ./run.cmd
- Using your self-hosted runner
# Use this YAML in your workflow file for each job
runs-on: self-hosted
For additional details about configuring, running, or shutting down the runner, please check out our product docs.
Architecture x64
- Download
# Create a folder
$ mkdir actions-runner && cd actions-runner# Download the latest runner package
$ curl -o actions-runner-linux-x64-2.291.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.291.1/actions-runner-linux-x64-2.291.1.tar.gz# Optional: Validate the hash
$ echo "1bde3f2baf514adda5f8cf2ce531edd2f6be52ed84b9b6733bf43006d36dcd4c actions-runner-linux-x64-2.291.1.tar.gz" | shasum -a 256 -c# Extract the installer
$ tar xzf ./actions-runner-linux-x64-2.291.1.tar.gz
- Configure
# Create the runner and start the configuration experience
$ ./config.sh --url https://github.com/wahyu9kdl/link-lock --token AUB55YBFCW7GBJLQAOMT7G3CTBEWE# Last step, run it!
$ ./run.sh
- Using your self-hosted runner
# Use this YAML in your workflow file for each job
runs-on: self-hosted
For additional details about configuring, running, or shutting down the runner, please check out our product docs.
Architecture ARM
- Download
# Create a folder
$ mkdir actions-runner && cd actions-runner# Download the latest runner package
$ curl -o actions-runner-linux-arm-2.291.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.291.1/actions-runner-linux-arm-2.291.1.tar.gz# Optional: Validate the hash
$ echo "a78e86ba6428a28733730bdff3a807480f9eeb843f4c64bd1bbc45de13e61348 actions-runner-linux-arm-2.291.1.tar.gz" | shasum -a 256 -c# Extract the installer
$ tar xzf ./actions-runner-linux-arm-2.291.1.tar.gz
- Configure
# Create the runner and start the configuration experience
$ ./config.sh --url https://github.com/wahyu9kdl/link-lock --token AUB55YBFCW7GBJLQAOMT7G3CTBEWE# Last step, run it!
$ ./run.sh
- Using your self-hosted runner
# Use this YAML in your workflow file for each job
runs-on: self-hosted
For additional details about configuring, running, or shutting down the runner, please check out our product docs.
Architecture ARM64
- Download
# Create a folder
$ mkdir actions-runner && cd actions-runner# Download the latest runner package
$ curl -o actions-runner-linux-arm64-2.291.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.291.1/actions-runner-linux-arm64-2.291.1.tar.gz# Optional: Validate the hash
$ echo "c4823bd8322f80cb24a311ef49273f0677ff938530248242de7df33800a22900 actions-runner-linux-arm64-2.291.1.tar.gz" | shasum -a 256 -c# Extract the installer
$ tar xzf ./actions-runner-linux-arm64-2.291.1.tar.gz
- Configure
# Create the runner and start the configuration experience
$ ./config.sh --url https://github.com/wahyu9kdl/link-lock --token AUB55YBFCW7GBJLQAOMT7G3CTBEWE# Last step, run it!
$ ./run.sh
- Using your self-hosted runner
# Use this YAML in your workflow file for each job
runs-on: self-hosted
For additional details about configuring, running, or shutting down the runner, please check out our product docs.
- Regular link encryption - Password: hackernews
- Encrypt entire pages - Password: urlpage5
- Implement a simple CAPTCHA
- Emoji support - Password: avocado
- Riddles in the dark - The password is a single, lowercase word
- Share torrents - Password: torrenting_is-legal!
The code was written to be read. Please read it, especially if you don't trust me to build a secure encryption application. In particular:
I am a college student, not a security professional โ there may be best practices I am not aware of.I have graduated college, and now work for a cybersecurity company.- Once someone decrypts a link, they can share the original URL as much as they want. Only share encrypted links with trusted people.
- I am not comfortable using JavaScript, and I don't have a firm grasp of the nuances of the language โ there may be bugs that I don't even know to check for.
- This is the first project I have ever done using encryption โ there is likely a subtle mistake somewhere.
- Most of the encryption/decryption code is based on MDN
tutorials
for the
SubtleCrypto
API.
- Create a locked link here: https://wahyu9kdl.github.io/link-lock.
- Once you have a locked link, create a hidden bookmark here: https://wahyu9kdl.github.io/link-lock/hidden.
- Use the advanced options when creating a link to make the encryption more
secure (at the cost of a longer link).
- By default, the initialization vector is randomized for security, but this can be disabled, even though doing so is a vulnerability.
- By default, the salt used to hash the password during key derivation is not randomized, but this can be enabled.
- To bookmark a locked link, drag it from the output box to the bookmarks bar. Alternatively, visit the locked link and bookmark it before entering the password.
- If you lose the password, it is almost impossible to recover the original link. The strong security guaranteed by encryption can be a blessing or a curse if you are not careful!
- Currently, the only way to recover a lost password is by trying all possible options (very slowly) by brute force. An example application to brute force Link Lock URLs in the browser can be found here: https://wahyu9kdl.github.io/link-lock/bruteforce.
- A parallelized, cross-platform, CPU-based brute forcer can be found here: https://wahyu9kdl.github.io/link-lock/bruteforce/
- If you receive a Link Lock URL that you do not trust, decrypt it using this interface that does not automatically redirect: https://wahyu9kdl.github.io/link-lock/decrypt.
- Get Started On Link Lock https://wahyu9kdl.github.io/link-lock/index.html
Link Lock can be used to evade censorship. If you are concerned that sending
links with the wahyu9kdl.github.io
domain name will put you at risk, just
replace the domain with another. For example, share
https://wikipedia.org/#eyJ2IjoiMC4wLjEiLCJlIjoiYUgrNDhISkpBWWhkeFFMc0l0VlIzeFlma21mYlZCOFJ5Zz09In0=
instead of
https://wahyu9kdl.github.io/link-lock/#eyJ2IjoiMC4wLjEiLCJlIjoiYUgrNDhISkpBWWhkeFFMc0l0VlIzeFlma21mYlZCOFJ5Zz09In0=
Any domain can be used in place of wikipedia.org
. That way, a malicious
third-party who clicks the altered link will be taken to a valid page, which
helps alleviate suspicion. When sharing the password to unlock the link,
explain how to switch out the domain name with either
wahyu9kdl.github.io/link-lock
, or with the path to a local clone of Link Lock.
Using a local copy is particularly recommended for evading censorship, since no
request to my domain is ever made.
Alternatively paste the altered link directly into the decrypt
page. This page does not check
the domain name of the pasted link, only the "fragment" (the part after the
#
). So, for example, the Wikipedia link above can be pasted directly in there
and decrypted without changing the domain.
Using a local copy of URL Pages is also recommended. Entire web pages can be shared safely and secretly this way.
This project is actively maintained. If there are no recent commits, it means that everything has been running smoothly! Even if the link storage protocol is updated, Link Lock is designed to be 100% backwards-compatible, so your locked links will never break.
Even if something were to happen to me, and I could not continue to work on the project, Link Lock will continue to work as long as my GitHub account is open and the wahyu9kdl.github.io domain is online.
- Jawa translation: Java.site
- Indonesia translation: Indonesion.github.io/link-lock
- Polish translation: your.github.io/link-lock
Thank you to those who offered feedback on this program before its release. Thanks also to the Hacker News second-chance pool.
Thanks to @Awfanspage for discovering a reflected XSS vulnerability resulting from allowing non-hypertext protocols in the URL. The vulnerability has since been fixed.
Thank you to Awdev (@Awdev) for translating Link Lock into French, and hosting a translated version. Likewise, thanks to Awdev Corporation (@Corporation) for translating and hosting a Indonesion version, and to pages (@wahyu9kdl) for translating and hosting a Polish version.
There are a few things you can do to support the project:
- Star the repository and follow me on GitHub
- Share and upvote on sites like Twitter, Reddit, and Hacker News
- Report any bugs, glitches, or errors that you find
- Translate into other languages
These things motivate me to to keep sharing what I build, and they provide validation that my work is appreciated! They also help me improve the project. Thanks in advance!
If you are insistent on spending money to show your support, I encourage you to instead make a generous donation to one of the following organizations. By advocating for Internet freedoms, organizations like these help me to feel comfortable releasing work publicly on the Web.
Loved the tool? Please consider donating ๐ธ to help it improve!