English-language URL shortening service from Hideuri.com

English-language URL shortening service from Hideuri.com

10.Oct.2021

Over the course of several months, I have been considering how to make the internet more secure. Given that websites are routinely breached, I realized it may be valuable to create a URL shortening service which would allow messages between users without fear of these messages being accessed by an unauthorized third party.

Research into existing services showed that this was generally not possible without extensive development work on their side due to API limitations or potentially by building upon custom APIs.

I decided to write my own. Today, I am releasing it as open source at 1drv.ms . It is still in beta - there may be bugs and rough edges so please bear with me while they get ironed out! You can think of it as roughly equivalent in function to bit.ly or goo.gl, but without reliance on any third party service.

In the future, I hope to add more features such as a search function and automatically generating statistical reports similar to bit.ly's stats page . Please post your thoughts and suggestions below!

What is 1drv.ms?

1drv.ms (pronounced one drive minus s), which you can find at http://1drv.ms/, is designed for secure messaging between two or more people without fear of message interception by unauthorized parties. For example, if Alice wants to send Bob an encrypted message that only he will read, she can link him to https://1drv.ms/u/bob   where it says "My message to bob" and he will see something like this:

Hi Bob! My message to you is encrypted so no one else can read it. Just click the button below -A

Upon clicking "Okay", Alice's browser automatically signs Bob in using OAuth 2.0, generates a short random URL for him to use to access his message, then opens that URL in Bob's browser where he can decrypt the message with his password. The decryption process verifies that Alice sent the message by checking her digital signature against an authoritative store of her public key hashes.

How does 1drv.ms work?

1drv.ms uses Authlete's OAuth2 implementation as well as JWTs . Authlete does most of the heavy lifting and provides a fully functional OAuth2 server. The JWT implementation is used to encode and decode access tokens.

1drv.ms does not store any user passwords itself - they are stored in the user's browser with Authlete's built-in password storage functionality .

To ensure security, 1drv.ms uses the following:

These measures help ensure that even if an attacker compromises one of your devices, they cannot decrypt your messages unless they also compromise your Authlete account or can somehow steal your password from Authlete securely (i.e., without it being sent over a network connection which could allow man-in-the-middle eavesdropping).

What will 1drv.ms look like in the future?

Over time, 1drv.ms may look different than it does today! I will try to keep this post up-to-date with screenshots of new changes, but please bear with me if this becomes out of date.

Eventually, I hope that 1drv.ms can do everything that services such as bit.ly and goo.gl already offer at no cost to users beyond operating costs for the server(s). For example, search is currently not implemented so you must remember your short URL or copy/paste it into your browser's address bar. This is fine for most users (and desirable in some cases), but would be nice to have in addition to exporting reports showing click statistics by date. Exporting those reports would be nice as an easy way to keep track of clicks or debug why something isn't working properly (e.g., a URL forwarding bug).

Short URLs and limitations

To ensure security and scalability, 1drv.ms uses short URLs by default - these are around 15 characters long with no special characters . To make the URLs easier to type and share, you can use custom URLs up to 40 characters long which may contain upper-case letters, lower-case letters, numbers, and most symbols (i.e., punctuation such as periods). The extra spaces at the end of your custom URL do not matter; they will be trimmed for display purposes only.You cannot set a custom URL to contain uppercase letters because the access token will not be case-sensitive.

The short URLs are stored in symlinks so if you shorten or delete a link, the data will still exist but your custom URL won't work anymore until it is re-created. You can always get a list of all links you created via "My links" on the navigation bar at https://1drv.ms/u/my

Client compatibility and installation procedure for end users

You don't have to install anything to use 1drv.ms but some browsers or addons may require extra steps . For example, Chrome requires an add-on called MetaMask that acts as a bridge between web apps and scripts installed on your computer (some of which may run only on your local computer and not in the cloud). Alternatively, users can use a browser that does not require any add-ons or browsers that are able to directly access appspot.com sites (e.g., https://appnamehere.appspot.com/ where appnamehere is your custom URL).

Users without Chrome must install the MetaMask add-on available for Firefox , Safari , Opera , or Brave . Once installed, they need to create an account with Authlete on https://authlete.com/customer by clicking on "Sign up" then using their GitHub account if they have one (otherwise just enter some random text into the username field) then following instructions given after clicking "Create an account" and finally "Confirm your new account." Once they have created an account, they must authorize the browser to talk to Authlete. They can do this by clicking on "Allow" when prompted (or if they see a different prompt then click the same button there) and then creating a password or setting their password back to being randomly generated if that was what it was before.

To create tokens for 1drv.ms, navigate to https://1drv.ms/u/oauth2 in your browser after installing the MetaMask add-on . Click on "Create token" then enter some random text into both boxes under "Step 2" (i.e., Your name and Prefer symmetric keys over asymmetric keys) then click "Create token." If you are using Firefox, after clicking on the button you will be prompted to enter your password.

You can now use your custom URL by navigating to https://appnamehere.appspot.com where appnamehere is replaced with the name of your client (e.g., if it's 1drv then go to https://1drv.ms ). To generate a list of all available clients , navigate to https://authlete.com/clients and click on each link displayed until you find the one that works for you - remember that some browsers may need extra steps not covered here so see their documentation or try asking for help at #dailyjs on Freenode IRC.

We are social