Bookmark Knocking: A Novel Technique to Hide Bookmarks

By Jacob Strieb

Published on March 12, 2021


Introduction

Imagine that you want to propose to your partner, but they sometimes use your computer. You don’t want them to see that you are bookmarking wedding rings. What do you do?

Alternatively, imagine you live with someone abusive. You decide to get help, so you look for resources on the Internet. There are helpful links, but you know if you bookmark them and your abuser goes through your computer, they may find them.1 You can’t install a hidden bookmark extension either, because they could just as easily notice that. What do you do?

Almost a year ago, I created Link Lock – a tool to enable anyone to securely password-protect URLs. But adding a password to links isn’t always enough.

Link Lock relies on strong cryptography for security, but sometimes a layer of obscurity is a practical necessity. In other words, there are some situations where a bookmark that asks for a password is too suspicious to be useful, even if the password protection is secure.

Bookmark knocking is a novel technique to address this problem. It enables users to hide bookmarks using features already built into every web browser. There are two versions available:

Demo

This version is experimental, and is only a proof-of-concept to explore the limits of the idea. Use the stable version for anything serious.

Drag the following links to your bookmarks bar to try it out. They must be clicked in the correct order to open the secret page. Otherwise, they will open Wikipedia pages.

1 2 3

Create a Hidden Bookmark Knock Sequence

Enter a link to hide. Click “Add a step” to add an additional bookmark to the knock sequence. For each “Knock sequence step,” input where the bookmark should go if the knock sequence is incorrect or incomplete.

Drag the generated bookmarks to your bookmarks bar. Their default names are the order in which to click them, but they should be renamed.

How It Works

Bookmark knocking is similar to port knocking, for which it was named. A user who wants access to a hidden link must know to click the right bookmarks in the right “knock sequence.” If they do this, they will be redirected to the hidden page.

The concept relies on storing encrypted data about the hidden link in the URL fragment or “hash.” This is the part of the URL that comes after a #, and typically takes a user to some spot in the middle of the page.2

In this case, the hash contains a base64-encoded JSON object. The object consists of the AES-encrypted secret URL and the currently-attempted knock sequence. The knock sequence attempt is stored as a string of characters, and is used as a passphrase to try decrypting the secret link after each knock.

When one of the special knock sequence bookmarks is clicked, it runs JavaScript to check if the current URL fragment is base64-encoded JSON with the required information. If not, it redirects to the user-specified decoy bookmark link. If so, it adds some static characters to the current passphrase attempt string and tries to decrypt the hidden link using the newly-modified passphrase.

If decryption succeeds, it redirects to the now-decrypted, no-longer-hidden link. On the other hand, if this attempt fails, it redirects to the bookmark link that it normally would, but with a URL fragment containing updated information about the latest attempt. Then the user can perform the next knock in the sequence, and the process repeats.

Since it is perfectly valid to have an arbitrary hash at the end of a typical URL, the bookmark behaves normally if the knock sequence is incorrect or incomplete. The only distinguishing feature of the decoy bookmark URLs is the presence of a long, nonsensical fragment, which wouldn’t alarm most people.

The simplified version of bookmark knocking built into Link Lock only supports two knocks. There is one universal second knock for any valid first knock. Then the hidden link prompts for a password. This two-knock version provides a practical level of privacy, without compromising on usability or security.

Who It Is For

Software security claims are only valid relative to a well-defined threat model. In this case, the software aims to be secure against family and friends, not agencies.

In other words, links protected with bookmark knocking (as implemented here) will be difficult to notice for most people, let alone crack. But the protection can be noticed by an astute observer, and can be broken by a determined adversary.3

Despite shortcomings, bookmark knocking is still a useful part of defense-in-depth. For more serious security, use the version built into Link Lock.

Don’t forget to use private browsing or incognito mode when accessing hidden links, otherwise the secret links are stored in your browser history, and the protection is worthless!

Example use cases:

Known Issues

If you have ideas for how to address the following problems, or want to discuss others, please open an issue on GitHub or use my contact form.

For Abuse Victims

This technology is designed to be helpful for anyone who needs more privacy than they feel they have, but it cannot guarantee anything. You are the expert in your own situation, and you need to judge if it is appropriate to use this software. If you are in a dangerous situation, please seek help.

From a New York Times Article on technology and domestic abuse:

If you are in immediate danger, call 911.

If your calls are being tracked, call your local services hotline, like 211 or 311, and ask to be transferred to a local resource center.

If you or someone you know is in an abusive relationship or has been sexually assaulted, call the National Sexual Assault Hotline at 800-656-HOPE or the National Domestic Violence Hotline at 800-799-SAFE (you can also chat live with an advocate at NDVH, or text LOVEIS to 22522).


  1. Unfortunately, this is a realistic scenario for many people.↩︎

  2. I have also abused the URL fragment to store entire pages – check out URL Pages!↩︎

  3. The keyspace is extremely small. Assume any attacker with all of the bookmarks in the knock sequence and the ability to brute force AES-GCM-encrypted data will successfully uncover your hidden link. On the other hand, if you hide a Link Lock URL, the hidden link will be securely password-protected.↩︎