Simple, usable and end-to-end encrypted URL shortener written in Node.js
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2.6 KiB

yeeturl Security

Some things in this file that are not entirely related to security were omitted in order to make sure it would be easy to understand.

How it Works

Shortening of URLs

  • A 8-character password is generated (which is used for encryption),

  • the provided URL is encrypted using sjcl. The password which was previously generated is hashed using PBKDF2 with 100,000 iterations first to slow down brute-force attacks,

  • the encrypted URL is sent to our server.

  • Our server generates a random, 6-character ID for the URL,

  • that ID is hashed using SHA256,

  • your data is saved to a key/value database like this: key: [sha256 hash] / value: [encrypted url],

  • the plaintext ID is sent back to the client.

  • The website displays the short URL. That URL consists of the plaintext ID and password, however, these are not sent to the server.

Redirecting short URLs

  • The ID is hashed with SHA256 and a request for the encrypted data is made to our server,
  • our webserver retrieves the encrypted URL from our database and sends it back to the client,
  • the encrypted link is automatically decrypted; the password was already provided inside the short link,
  • the long (previously shortened) URL is sanitized (to prevent injection of HTML) and displayed to the user. The user can now decide whether they want to get redirected or not.

Security Principles

This is a set of requirements the developer has to follow before submitting code into this respository.

  • Keep things automatic and seamless: the majority of the world wants things to "just work".
  • Never send the URL or password in plaintext: the server shouldn't be ever allowed to read the user's links, for any purpose.
  • Write simple, maintainable code: keeping things simple would make the code less prone to major security vulnerabilities.
  • Think of any ways your code could be exploited.
  • If possible, do things on the client side.
  • Don't be too paranoid, but also don't be too careless.

Security for administrators

We do everything in our power to keep your instance from being exploited, as that would be a big disaster for our public instance too. yeeturl can run with very little privileges and read-only filesystem access.

Because yeeturl encrypts your links, and almost never stores your data in plain-text (including IDs of links), attackers can't do much (if anything) with the data. This isn't an excuse for server admins to use poorly secured databases though.

Discovered Vulnerabilities

  • none yet