Secret URL

If you do not want your post to be visible to everyone, you can generate a secret URL for your post instead of generating a regular one. To generate a secret URL, click the 'Generate secret URL' checkbox before saving a post. The URL generated would consist of a 'key' parameter with a long secret key as its value. Only those who have this complete URL would be able to see your post.

Security of the key

The secret key that becomes part of the URL is a hex representation of a 160-bit cryptographically secure pseudorandom number (CSPRNG) generated using OpenSSL. The following PHP code generates this key:

bin2hex(openssl_random_pseudo_bytes(20));

This means two things.

  1. Given a portion of the key, it is not feasible to obtain any information about the remaining portion of the key.
  2. Given a sequence of keys obtained from the URLs of existing secret posts, no information about the keys of other secret posts can be obtained.

Caveats

Secret posts are hidden only from search engines, web crawlers and other users of this website. They are not hidden from the administrator of the website and routers via which you are communicating with this website. When your request originates from your browser and travels to the web server running this website, the complete URL with the secret key that you request is transmitted in plaintext to the web server via many routers. The admins of these routers and this web server can retrieve the complete URL from their log files and read your secret post.

Since secret posts are hidden only from other users but are visible to administrators of routers and this web server, you should not post any top secret material on this website.

The secrecy of your secret post also depends on you and the people you share your post with. A secret post can be accessed if and only if the secret key of the post is present in the URL. Since the secret key is part of the URL, the URL should not be shared with any untrusted parties.

If the complete URL falls in the hands of an untrusted party, this website does not provide any way to change the secret key. This is due to the futility of the exercise of changing the secret key. If a post falls in the hands of an untrusted party, he can quickly create a public (non-secret) copy of your secret post with just two clicks (unchecking the 'Generate secret URL' checkbox and hitting the submit button) before one can change the secret key.

Sunday, 25 March 2012 00:00 GMT