Clickable Links and their security implications

Security

Despite the fact that all of your passwords are encrypted on your mobile password safe home page, we still don't want to make it easy for others to get the URL. Whenever you link from one web site to another, a Referrer is passed to the next web site.

This means that the sites we link to would know your Mobile Password Safe URL, and we don't want that.

There is a way to do this which we've implemented on the home page to link to the "Hunch" site.

(It uses a "redirector" which takes you to another generic page, which then redirects to the Hunch site. Hunch only sees the generic page, not your password home page.)

Secondarily, we don't also want to know which sites you're visiting.

If you go through a redirector tool on our site, then our web server would see it and log it.

We could turn off our server logs, but it makes it difficult to run our service at all because it does hold important diagnostic information.

Spam

Once we have a "redirector" page, it means that spammers can use it to hide in their spam emails to avoid spam filters. Instead of sending you to:

• http://www.viagra-buy-drugs-online.com/

They send you to (for example):

• http://pw.ex.to/out/?u=http://www.viagra-buy-drugs-online.com/

Spam filters look at the pw.ex.to part, not the u= part, so we would be blacklisted.

Since we don't want our domain name to be blacklisted by anti-spam companies, and we don't want to do anything to help spammers (in the least), then it becomes difficult to allow just our users to use the outbound links.

Our solution

Our solution uses JavaScript so the URL you visit is hidden from our servers (it only exists in your browser), and a redirect page which hides your home page URL from other sites.

How to test it

We offer an easy way to test the referrer security:

1. Add https://pw.ex.to/show-referrer to one of your password entries
2. Click on the link in the password entry
3. View the referrer that the web server "sees"