
Show HN: URL Canary – Get an alert when someone finds your secrets - jstanley
https://urlcanary.com/
======
CamTin
You might think about embedding bounties in crypto blockchains. For example,
create BTC wallets that can be unlocked using a secret sitting next to (or
steganographically embedded in) the secret you're trying to protect. This
gives the person uncovering the secret an incentive to activate the canary.
{RI,MP}AA are apparently doing this with their music and movies, so they know
when they are showing up on pirate sites.

~~~
foepys
As skeptical as I am about crypto currencies, this is a really interesting
application. Basically exploiting human greed. Thank you for sharing it.

~~~
sli
That's some awfully pessimistic and dehumanizing language. I just consider it
to be paying someone for the trouble rather than jumping straight to
"exploiting greed."

~~~
scott_s
Since the person profiting is someone who obtained the secret through shady
means - either breaking into an insecure system, or taking advantage of their
access to a system which doesn't encrypt passwords - I don't consider it
pessimistic or dehumanizing to describe the behavior as greed.

~~~
wolco
Greed is a subjective term. The company who is charging money could be
described as greedy for making a profit when they could have lowered the price
to remove any excess profit. Why is the person who understands and uses the
system in a way it wasn't intented greedy?

~~~
scott_s
Because they're stealing secrets from people? I confess I'm confused why this
is confusing. The exercise here is to know when something is public that you
want to keep secret. The proposed solution is to make the secret something
have value independent of its secretness, to tempt those that stole the secret
to obtain that independent value. I'm fine attaching "greed" to profiting from
stealing secrets.

------
makarhum
Similar idea than [https://uriteller.io](https://uriteller.io). This is nice
way to check whether your end to end encrypted chat is really secure or not.

~~~
bb88
This is brilliant. They recommend using a url shortener, but I want to see if
anyone is parsing comments and visiting urls from HN.

[https://uriteller.io/7S6asCJSwrOzApjG84hIRA](https://uriteller.io/7S6asCJSwrOzApjG84hIRA)

Edited to add:

Here's the view key if you're interested. Just append it to the end of
uriteller.io:

ZBt0gGoUHtIsyQ7KFwikYg

A crawler on AWS hit it two minutes after I posted it.

~~~
cottsak
Lots of Mac users with out of date OS :S
[https://uriteller.io/ZBt0gGoUHtIsyQ7KFwikYg](https://uriteller.io/ZBt0gGoUHtIsyQ7KFwikYg)

------
dylanpyle
FYI - I signed up and the email confirmation page showed me someone else's
canary URL

~~~
jstanley
That's not good! Taking a look.

EDIT: I believe it's because the CSPRNG state (
[https://metacpan.org/pod/Bytes::Random::Secure::Tiny](https://metacpan.org/pod/Bytes::Random::Secure::Tiny)
) was created before the process forks, so they shared the initial state and
generated the same token. I've reduced it to 1 worker pending an actual fix.

Sorry about that, and thanks for pointing it out.

~~~
beefhash
Given this kind of disaster potential, wouldn't it be a rather attractive
option to use /dev/urandom?

~~~
jstanley
Bytes::Random::Secure::Tiny seeds itself from /dev/urandom, I just need to
make sure to initialise it on first use, instead of when my program first
starts (which I've now done).

In general I suspect if anything you'd be _more_ likely to mess it up by
reading bytes from /dev/urandom manually than by using a library.

~~~
stouset
How exactly can one mess up reading bytes from `/dev/urandom`? Serious
question.

Open the file. Read from it. If no failures on open or read, you have random
bytes. In essence, there _is_ already a library for this: `open` and `read`,
which seems to be the same API surface area as this library.

~~~
beefhash
Here's all the ways this can possibly go wrong:

[https://insanecoding.blogspot.com/2014/05/a-good-idea-
with-b...](https://insanecoding.blogspot.com/2014/05/a-good-idea-with-bad-
usage-devurandom.html)

~~~
stouset
Most of these are ridiculous.

First, the author mentions that a `read` from urandom can be interrupted. I am
unaware of any system where this is actually possible. And _even if it were_ ,
the author's original code (and my description of an implementation) already
works! The `read` call will return an error, and that error is handled. His
"improved" code is simply an optimization around retrying from this device,
but it's not an improvement in safety.

His second argument is that /dev/urandom might not have enough randomness in
it. This is, quite simply, not a concern for anyone not writing code for
specific embedded devices or for extremely early in the kernel boot process.
Anyone who is writing code for these environments is almost certainly already
aware of these limitations. And even then, using a library like the one the GP
is using doesn't actually help, since it's virtually guaranteed to just be
reading bytes from `/dev/urandom` for its seed in the first place.

The rest go into situations that — quite frankly — border on ludicrous. If
someone has replaced your `/dev/random` with `/dev/zero`, _you have already
lost_ and there is nothing you can or should reasonably do besides nuke the
machine from orbit.

------
diggan
I don't understand this. Someone just visits the URL and I get a email
notification? If it's supposed to be secret, how does the script knows if the
visit is OK or not, sending me the notification only when it's OK? Are the
good guys supposed to know this is a sort of "honeypot" URL and not visit it?

~~~
droopybuns
Put a URL in a firmware image that is never called by your device/app.

Monitor the URL for access. You then receive an alert that someone accessed
the URL.

This gives you a real-time notification that a reverse engineer has looked at
your firmware. It also gives you an IP address. So you now “know” that someone
might try to hack your device. And you also have an IP address.

This is a billion dollar security play!

Jokes aside. It is a good concept for IoT firms who have a security advocate,
but no budget. Would help persuade people that there are hackers targeting
their devices/apps with quantifiable data of degrading value.

~~~
dsacco
Huh. That’s...a good idea. The idea has to be developed further though. This
has to be deployed on different domain names and with full content control on
the web pages.

I guess that’s all doable with the “private server with root access” under
enterprise pricing. What a great way to precisely measure cover time. You
could inject arbitrary URLs into an application to see if your API has been
reverse engineered.

~~~
droopybuns
Hackers worth their salt work in air-gapped environments.

This is a signal, but not a game changer for security pros.

~~~
dsacco
I’m speaking specifically about the case where someone is trying to reverse
engineer a private API from an application. Then interacting with an API
endpoint will necessarily trigger the canary.

Having retrieved API secrets offensively, and overseen secret rotation
defensively, I’d say it _would_ be a game changer. It’s an excellent idea to
automate this discovery with an alarm. The current discovery system is either
an internally developed, half-baked version of this that comes from
sophisticated logging, or manual oversight.

------
nzjrs
Semi related asking the wizard of HN. I recall reading a similar trick whereby
one can embed a github key/token/api key/??? In a source file in one's
repository and then if your code ever is stolen and pushed to github then you
will receive a notification because github will revoke the token. Does this or
similar ring a bell for anyone?

~~~
shurcooL
[https://blog.github.com/2015-02-05-keeping-github-oauth-
toke...](https://blog.github.com/2015-02-05-keeping-github-oauth-tokens-safe/)

------
ActsJuvenile
Great project! I just found out that one creepy Safari extension is crawling
every URL I visit.

Also Yahoo Slurp is crawling my email URLs. Sigh.

~~~
Volt
What's the extension?

------
ada1981
This is neat.

For added security, maybe better to hide the canary URL in a bit.ly link?
Someone might know your 3 URLS.

~~~
sorenjan
You can preview bit.ly links by appending a + to it.

~~~
jstanley
But if you are already suspicious enough that you want to do that, you were
never going to click on the original URL anyway, so it's no worse than not
using bit.ly.

~~~
lucb1e
Not true. I know bitly and googl have those info pages, so I'll check them out
when I am curious but am not sure whether I want to alert whereever it leads.
I know I'll get more info at best, and don't lose anything at worst. For
random URLs, I guess I could try whois lookups, but I'd be much more likely to
just check it out than with a short URL which is easily checked out.

~~~
jstanley
I think you missed my point.

If seeing that the bit.ly URL redirects to a known-urlcanary domain would put
you off visiting the URL, then seeing the raw known-urlcanary domain (not
behind bit.ly) would _also_ be enough to put you off visiting it.

~~~
lucb1e
Ah, yes, if that is the alternative, then of course. I thought it was between
some shortened link and an unknown domain.

------
rrggrr
A quick test using Zapier's webhook functionality tells me I can duplicate
this with their platform. Doesn't seem to work with link shortener, but I have
the sense more time invested on that will yield a result. So, I think the
concept has merit but you're off center of the target and much more value is
required.

~~~
wongarsu
I imagine there's a lot of value to be found in a dashboard, or generally in
managing these canaries. Which canary was deployed where, how often are they
triggered (with the ability to mark some instances as false alarm) etc.

But of course that heavily depends on the use case

------
sli
So what happens when the three offered domains become widely known to be fake?
Can this service be federated and use custom domains or is it just another
game of whack-a-mole?

~~~
pwinnski
From the landing page: "...and it's easy to setup a URL Canary on a custom
domain name."

~~~
pinum
Not to be overly negative, but if you're going to the trouble of pointing a
custom domain to this service, couldn't you just write a quick PHP script that
mail()s out when it's accessed? As far as I can see, the only advantage of
using this third-party site is convenience, a custom domain makes it much less
so.

------
efficax
Will the canary URLs always be to the same domain? If so, can't I circumvent
this just by using custom dns locally to map that domain to somewhere else,
like localhost? If it's not a domain, but an IP address, can't I just route
that IP somewhere else?

~~~
jstanley
There are currently 3 domains available. If this takes off I could do
something like mailinator (offer the user a small selection, but never reveal
the full list at once).

You can also register your own domain and point it at my server and your
canary will work just fine on that domain.

If you're playing at a high enough level that you've specifically blackholed
URL Canary traffic by IP address, then you're a worthy adversary. And
additionally, that is a splendid problem for my project to have.

On the enterprise tier you even get your own server with its own IP address,
so there should be nothing linking it to URL Canary at all. (Although the
enterprise tier is extremely expensive, and if anyone buys it I will probably
panic).

------
mh_
This is neat.. Its currently a single type of token (ie. a URL).

If you check out [https://canarytokens.org](https://canarytokens.org) you will
notice the ability to create several others (be notified when someone resolves
an IP address, be notified when someone opens a file, be notified when someone
views a QR code, etc)

------
JamesMcain
how does this differ from
[https://canarytokens.org/generate](https://canarytokens.org/generate) ?

~~~
jstanley
Very little!

Although the generated URLs don't have "canary token" in them.

~~~
mh_
Canarytoken allows you to download a docker instance, so you can host the
server on any domain you like.

------
askvictor
I'd really like to see a generalisation of this idea to any personal/private
data stored in any database. Any time a piece of 'your' data (e.g. a medical
record) is accessed, you get an alert. There could be an industry of alert
brokers that decide if the alert is important or not - you might employ one,
or write your own, or choose to look at every alert. While it would require a
big change to how we store data, I suspect that the changes required to be
GDPR compliant start going in this sort of direction.

------
overcast
Is following a URL common practice for someone who accesses documents? I mean
if I come across a repository, my first inclination isn't to find all of the
hidden URL's and chase them.

~~~
inetknght
It's common practice for robots and vulnerability analysis

------
cottsak
How does a potential customer know how effective this is? How do you even know
that it's effective for your personal use case as described
[https://urlcanary.com/about](https://urlcanary.com/about) ?

How many attackers are going to click that link or _any_ link for that matter?
Seems the value prop of the product is based on the assumption that folks will
click. Maybe it's a solid assumption. I just can't see the evidence for it.

~~~
imglorp
The value lies in sometimes demonstrating a channel is insecure. It won't
always do so. Obviously the converse--proving a channel is secure--is much
harder.

I don't think it has commercial value really. But for social awareness,
showing that mail, or notes, or storage providers aren't always as private as
you'd hope, that's where the value is.

~~~
cottsak
But it demonstrates nothing if no one clicks. The channel may be insecure,
compromised and no one knows - not the author or the parties who are supposed
to have the secrets.

I see what he's trying to do, but this isn't the way I don't think.
Mathematical proofs that verify that a payload is observed, opened, or
accessed work. They are deterministic. They are also way more complex. I think
this is trying to solve a problem in a simple way but it's still just as
nondeterministic as without this solution IMO.

~~~
imglorp
Absolutely. But if you have the choice between a) not knowing 100 pct of the
time, and b) knowing for certain it's not private X pct of the time, for
unknown X probably not 0, you'd want b. You will have more information by
trying.

------
josefresco
This looks neat. What is a good use-case for your average techy? What about
your average non-techy?

~~~
jstanley
It can be useful anywhere you have sensitive information that you wouldn't
want to fall into the wrong hands, or more specifically that you would want to
find out if it did.

It could go in backups, in your git repository, bug tracker, internal wiki,
etc.

For an average non-techy, I don't know... they might want to put one in their
diary?

~~~
rplnt
For any web/cloud service, I think this might be easily triggered when the
service is trying to be helpful. I.e. when fetching previews, displaying
in/active links, etc...

~~~
jstanley
You're right, and this does happen.

If that's a problem for you then you can mitigate it a bit by checking the
User-Agent and IP address in the alert email you receive.

------
sitkack
Do you have domain diversity? Organizations will blackhole urlcanary.com

------
lolc
Nice! I've often considered implementing a service like this at the DNS level.
DNS would be ideal because it would work for more services, not only HTTP.

------
tzury
given the options are 3 domains to choose from:

    
    
      1. emotionalrec.com
      2. factwisdom.com
      3. tdurl.uk
    

Smart thief simply won't follow the link.

~~~
jstanley
Even then you're no worse off than if you didn't have it at all.

------
zitterbewegung
This is neat. Reminds me of the MR robot episode where he puts a link to track
the FBI in season 3

------
Kiro
Maybe I don't understand the concept but why would you ever put a secret
public?

~~~
dewey
You don't. You put it in a thought to be private place but you'll find out if
it gets public at some point that way.

~~~
Kiro
But why host it somewhere reachable at all?

~~~
dewey
It's a canary, it should ideally never be triggered but in case it does you
want to know about.

Another way would be to put a fake user in your users database and then watch
password leaks and see if it shows up. Then you know you've been breached. It
should never happen but if it does it's good to know.

------
magic_beans
I like the simplicity of this.

------
boardwaalk
fail2ban[1] can be set up to do this trivially.

[1] [https://www.fail2ban.org/](https://www.fail2ban.org/)

~~~
hughes
ok I'm like 8 pages into the configuration wiki and still have no idea how to
set this up

~~~
boardwaalk
I'd recommend just installing it and turning on a couple of the built-in
filters by editing /etc/fail2ban/jail.local to see how it goes together. See
the comment at the top of /etc/jail.conf as well and check out 'man
jail.conf'.

Essentially to do the same thing as URL Canary you'd set up an action that
only emails and trigger that with a custom filter that scans your web server's
access log for accesses to a particular URL.

------
wxyyxc1992
this is a really interesting application. Basically exploiting human greed.
Thank you for sharing it.

------
andrewmcwatters
Hah, that enterprise pricing is insane.

~~~
CapacitorSet
Indeed, at £1k (€1136, $1403) one might as well run an internal application.
At a very basic level, it can be achieved with three lines of bash:

    
    
        while echo -en "HTTP/1.1 200 OK\r\n..." | nc -l $IP $PORT; do
            cat $MESSAGE | sendmail -i -t
        done
    

More complex configurations could still be worked out in <50 lines of Python.

~~~
softawre
Why would anybody buy this (dropbox), I can recreate this with a simple ftp
server and 30 minutes of coding!

~~~
CapacitorSet
Dropbox is not a devs-only product, given that eg. the CEO might want a
personal Dropbox folder, or one might need a shared folder between the
marketing team and the developer team (and even then, at the enterprise level
it is not unheard of to use simpler alternatives like SFTP/NTFS shares).

Canaries on the other hand are exclusively used by technical people, who won't
mind developing and spinning up a tiny honeypot.

