About this website
Sharing sensitive information with others via the internet is a common task, but it can be risky. Emails containing sensitive information might accidentally get forwarded to unintended recipients or once shared information might get disclosed to unauthorized parties via backups and data breaches, even years after the original communication took place.
This website allows you to securely share such sensitive information via encrypted, single-use and short-lived links. Any secret data you enter on this website is encrypted directly in your browser, providing you with a unique secret key, encoded as part of a secret-link's URL, which you can share with others. We merely store the encrypted data on our servers, which can only be decrypted with the secret key contained in the URL (end-to-end encryption).
The short-lived nature of these URLs ensures that the shared information is only accessible for a limited time, reducing the risk of unauthorized access to your secrets. Additionally the encryption ensures that even a data breach on our end would not disclose any sensitive information.
How the secret-links work
Secret-Links
When you encrypt a secret, you will get a secret-link URL like shown here, which you can share with the intended receiver of your secret:
Base URL: https://onetimelink.io/secret
This is the fixed part of the URL that points to the page where the secret can be retrieved and decrypted.
Secret ID: 7xK-TdPiYgMonSps
The string after the "?" sign is called the "URL parameter", it is the unique, random identifier for the secret stored on the server.
Secret Key: _FmNrIi0OuUD7r6VKeN8huG-SYe5u__9a7vdjSKZYZw
The string after the "#" sign is called the "URL fragment", it is the random encryption key used to decrypt the secret. Unlike the URL parameter, it is never sent to the server by your browser.
Status-Links
In addition to a secret-link, you will also receive a status-link, which looks like shown below and which you can use to check the remaining time until the secret-link expires. The status page will also show the number of times the encrypted secret has been accessed and gives you the option to revoke (delete) the secret-link before it expires.
Base URL: https://onetimelink.io/status
This is the fixed part of the URL that points to the page where you can check the status of your corresponding secret-link.
Secret ID: 7xK-TdPiYgMonSps
The first URL parameter is the random secret ID under which the encrypted data is stored on the server.
Secret Status Token: dNd_Uh13
The second URL parameter is a random access-token, which is only used for the status page. It ensures that only you, who knows the full status URL can check and revoke the secret.
How the encryption and decryption work
All encryption and decryption operations are performed in your browser using the Web Cryptography API, which is implemented by all modern browsers. Using this library we generate a strong, randomly generated cryptographic key to encrypt your data. While the key never leaves your browser, the encrypted data is stored on our server, referenced by a randomly generated ID. The ID and key taken together form the secret-link, which is only shown to you once after the encryption was performed and can be shared by you with your intended recipient.
Using this secret-link, the recipient can fetch the encrypted data from our server via the ID and decrypt it in the browser using the key. The key is encoded as the "URL fragment", which is never sent to the server and is only used in the recipient's browser to decrypt the data. Strict rate-limits on the server together with the long, random ID of the secret ensure that malicious actors cannot brute-force access to the encrypted data.
To further increase the security of your secrets, you can optionally protect them with a password. This password is used to encrypt the randomly generated key and a hash of the password is stored on the server alongside the encrypted data. The encrypted data will only be returned by our server if the correct password is entered by the recipient. The number of attempts to enter the correct password is rate limited, which ensures that even if your secret-link has been exposed to a third party, the encrypted data cannot be accessed and brute-forced locally.
The code used for these operations is written in javascript and was intentionally left un-obfuscated, you can review it here.
The advanced encryption features explained
Single-Use Links (enabled by default)
By default, secret-links you generate using this website are single-use links ("burn after reading"). This means that the secret can only be accessed once by any receiver. After the secret has been accessed, the secret-link will expire and cannot be accessed again. This raises the security by ensuring that the secret cannot be accessed by unauthorized parties after the intended receiver has seen it and any unauthorized access to the secret before the receiver has seen it will be immediately apparent.
Limited Link Lifetime
Secret-links you generate using this website are not intended to be used for long term storage. Instead they expire automatically after a configurable amount of time. This raises the long term security of the secrets which you shared by ensuring that third parties can't access them, even if they should gain access to your original secret-links at a later point in time.
Passwords
To increase the security of your secrets we recommend the use of the optional password feature. A recipient of the secret-link must additionally enter the password to be able to retrieve and decrypt the secret. You should ideally share the password using a separate communication channel, e.g. if you send the secret-link via email, consider sending the password via a text message. This ensures that even if the secret-link is exposed to a third party, the encrypted data cannot be retrieved without the password.
Our Commitment to Security and Privacy in brief
We take your security and data privacy very seriously. To ensure the integrity of our service, we intentionally keep this website as simple as possible, avoiding external resources such as third-party libraries or tracking services that could compromise your data.
All our servers are hosted exclusively in the European Union, a region renowned for its robust data privacy culture and adherence to the General Data Protection Regulation (GDPR).