Secure (Short) Links

Written by: Franz Josef Drexler

September 13, 2024

Colorful pipes and a few locks, abstract.

With youProof version 2.1, we’ve introduced our in-house link shortener. But why even bother creating another link shortener instead of using an existing one? And why do other link shorteners produce shorter links than our system? Let’s take a deeper look.

The Original Link

The actual link to your youProof profile is quite long. For example, this is the link to the profile used in our screenshots:

https://app.youproof.at/profile/0xE601027688Acb502F5c0Db1f6E3930C1E4f48Fb5#-00c88e2f6d5aba264c4d105f86175704451a8c3ecf4068067ee7e9b2e020c792c

This link contains two important parts:

The address of your youProof profile: 0xE601027…
The encryption key for the profile: -00c88e2f6d5aba…

The reasons for choosing this structure can be separated into two areas:

Compatibility with possible future improvements: Initially, we planned for youProof to have a decentralized mode. Using this structure leaves us the possibility of implementing this later on.
Data integrity is a key part of youProof’s unique selling point. While the encryption key ensures that everything is end-to-end encrypted, the address is used to verify that your data has not been tampered with.

Link Shortener

But how does our link shortener work, and why is it secure?

First a quick reminder of how link shorteners usually work: you send them a link, they store it in their database and give you a short link that points to the place in their database where they’ve stored your link. They could, at any time and without much effort, point your link to another destination without anyone noticing. Also note that you give them your link in plain text, which means that they can read/open it as well.

For youProof, this is not secure and private enough. Let’s take a look at a youProof short link. It may not be as short as other link shorteners, but it’s significantly more secure.

youProof Short Links

https://app.youproof.at/profile/s#fLOsLIBT9uNZqNghitBU-u0F1O_FdZfMDWdw7NZm6io

This shorter link basically combines address and encryption key from above into one element: fLOsLIBT9uNZqNghitBU-u0F1O_FdZfMDWdw7NZm6io

This key allows us to encrypt the full link you saw at the beginning. We then upload the encrypted link to our database, using the hash of said key as an identifier.

When someone now opens one of our shortened links, the only thing our servers see is that they are accessing https://app.youproof.at/profile/s. The part after the # in a link is not transmitted to our servers. Your device (which has access to the entire link, including the part after the #) then extracts the key, loads the encrypted full link, decrypts it and then loads the youProof profile using this now decrypted full link.

Security Considerations

At no time does our backend have access to any of your keys. This means that we can never read nor edit your data without you or the ones viewing your youProof profile noticing. Only exception: if we get a hold of your short link, we could theoretically make your link point to another youProof profile. However, solving this requires a fair amount of blockchain, decentralization and open sourcing parts of our software. Until then, you’ll have to trust us being honest.

Finally, don’t forget to download and try out youProof—it’s free and doesn’t even require an email address.