search

jstrieb / link-lock

Password-protect URLs using AES in the browser; create hidden bookmarks without a browser extension
https://jstrieb.github.io/link-lock
MIT License
863 stars 161 forks source link

Can you not show the letters when entering the password? #7

Closed Cielain closed 1 year ago

Cielain commented 3 years ago

Hey there!

I am really enjoying this project, it's exactly what i was looking for. My only problem with it is that when i enter the password for the locked link then all the letters are visible. i am encrypting the links so that only certain persons and i can use them but when the password is clearly visible for everybody nearby whilst i am entering it it's kinda defying its purpose for me. is there an option to not show the letters you are entering when asked for the password? or can you implement it?

thanks a lot for this tool

Cielain

jstrieb commented 3 years ago

Hi @Cielain, Thanks for taking the time to raise this issue!

Even though this has not been implemented yet, I absolutely acknowledge that displaying the password in plaintext can be a bit inconvenient. It is a long-term feature I have considered adding, but I will bump it up since you have expressed interest. I'm currently finishing my final semester, so I expect to take a look at issues in my personal projects sometime over the summer.

In the meantime, the brief background on why I chose to do it this way initially is that it was easier, and avoided a potential security problem. It was easier because I wouldn't have to make an additional page for entering the password (this would admittedly be similar to the page to lock a link, but I was hustling to get it to a stage where I was comfortable releasing it), and then the feature fell to the back-burner. Regarding security: since users can enter hints, I was concerned about displaying them in a way that might accidentally lead to a cross-site scripting vulnerability, and using the JavaScript window.prompt avoided this.

That being said, you're right that it has the potential to introduce a practical security risk when someone might be looking over your shoulder! I'll look into taking care of this eventually, and in the meantime will leave the issue open.

Almost forgot: if you're still concerned, in the meantime, you can use the "decrypt page" here: https://jstrieb.github.io/link-lock/decrypt/

This page doesn't do the automatic redirect, but it does use a proper password field.

Thanks again for your interest in this project!

jstrieb commented 1 year ago

It's been a little less than two years, but I finally got around to this!

All links that have been created will no longer prompt the user to enter a cleartext password.