FYI, I’m on vacation in Costa Rica, so this is the last [email protected] of 2015. Pura vida mae!
It’s holiday season and my family & friends keep asking for my mailing address. Frankly, I’m surprised holiday cards are still a thing. (My parents declared holiday card/newsletter bankruptcy decades ago.) Save a tree and send me an email with funny gifs instead.
I briefly considered posting my address on my website, but I didn’t want tons of spam. So, I needed a way to put it online and restrict access to people who actually know me.
I figure that if you can spell my middle name and you know my phone number, you can probably figure out or socially engineer my mailing address. So, here’s what I came up with. I call it Cryptopostal:
How it works
While it’s trivial to create a web form that reveals something, securing it is not. A simple show/hide is insufficient, because the “hidden info” is stored as plaintext in the source code. A secure alternative would be a database lookup using name & phone as the login credentials, but that’s a colossal waste of resources for this application.
The answer is crypto. By encrypting my address, I can store it in the source code, and decrypt it locally whenever a visitor provides the proper answers. It’s 100% static and supes elegant.
I looked at a bunch of cryptography libraries, but I chose the Stanford University Crypto Library (SJCL) because it’s small, maintained, works locally in the browser & in node, and it has a super simple API.
How simple? This simple:
//decrypt data var d = sjcl.decrypt(“passphrase”, e) ```
e1, a random string of characters ~
sup3rs3kr1t(this could be any random string of characters.)
e2, the address (br is optional / for line breaking) ~
1060 W Addison St.<br>Chicago, IL 60613
e3, a Google Maps link ~
Whenever a visitor submits the form, a script does the following:
Sanitize and concatenate the name and phone inputs into a passphrase.
e1and compare it to the plaintext
sup3rs3kr1t. If it’s a match, our answers are correct.
If it matches, decrypt
e3, update placeholder HTML elements with those strings, and then unhide the address field.
If it doesn’t match, display an error message.
As you can see in my 80s inspired demo, it’s pretty neat.
Roll your own
I wrote a node package that will generate a Cryptopostal page for you:
- Clone the repo
- Edit variables in
index.js(name, avatar, q1, q2, pass, d1, d2, d3)
node index.jsto update
index.html& all the css/js/image assets to you web host. Do not upload index.js.