Some things in this file that are not entirely related to security were omitted in order to make sure it would be easy to understand.
Shortening of URLs
A 8-character password is generated (which is used for encryption),
the provided URL is encrypted using sjcl. The password which was previously generated is hashed using PBKDF2 with 100,000 iterations first to slow down brute-force attacks,
the encrypted URL is sent to our server.
Our server generates a random, 6-character ID for the URL,
that ID is hashed using SHA256,
your data is saved to a key/value database like this:
key: [sha256 hash] / value: [encrypted url],
the plaintext ID is sent back to the client.
The website displays the short URL. That URL consists of the plaintext ID and password, however, these are not sent to the server.
Redirecting short URLs
This is a set of requirements the developer has to follow before submitting code into this respository.
We do everything in our power to keep your instance from being exploited, as that would be a big disaster for our public instance too. yeeturl can run with very little privileges and read-only filesystem access.
Because yeeturl encrypts your links, and almost never stores your data in plain-text (including IDs of links), attackers can't do much (if anything) with the data. This isn't an excuse for server admins to use poorly secured databases though.