Sunday, March 31, 2013

Understanding mega:// links

Introduction


From version 0.6, MegaDownloader supports mega:// links.
When you click on a mega:// link, MegaDownloader automatically opens and captures the link, so you can download them easily.
In this article, mega:// links will be explained and classified.

Mega links types

There are three basic types of Mega links:


Plain links.

These links contains the ID and the Key, similar to a normal mega link. For example, consider this link:
https://mega.co.nz/#!OFEQ0Y4Z!0123456789wVrs6n7Jyx8-9876543210nkI8MA5Gf4g

The mega:// equivalent link would be:
mega://#!OFEQ0Y4Z!0123456789wVrs6n7Jyx8-9876543210nkI8MA5Gf4g

You can generate your own plain mega:// links just replacing "https://mega.co.nz/" by "mega://".

Encoded links.

This links contain the ID and the Key encoded, and the URI has the form "mega://enc?xxx".
These links are generated by both MegaDownloader and MegaUploader, by going to "Options"/"Encode URLs", or by using the right click option "See links" and selecting the "Encode URLs" option.




You can share the encoded links, and MegaDownloader will grab them when you click on them or when you copy them (if you have activated the "Capture links from Clipboard" option).



What's the target of the encoded links? It was designed with the idea of offering a basic link protection, so the user can download the file but can't know the original link.

Please take into account that the level of security offered is not very high. Links are encoded using an AES password, but a high skilled user/hacker can retrieve it and get the original link. However most of the people will not be able to do it: At this moment it is even easier to decrypt a DLC than these encoded links ;)

ELC links.

ELC is the acronym of "Encoded Link Container".

This format, that will be released with MegaDownloader 0.8 and MegaUploader 0.7, is under development, but will offer two features:
  1. Link protection: Users won't be able to know the original link.
  2. Copy protection: Only authorized users will be able to access the file.

This is achieved by using a server to validate the user that tries to download the file. The idea is that each community (forum, etc) have a page to validate users.
When you create an ELC link, you have to select the community (previously configuerd) that will be have access to the links.
Once generated, only users with a valid account in that community will be able to download the files. In this way, even if someone pastes the Mega links outside the community, nobody without a valid account in that community will be able to download the files.

Interally files will be encoded using a random AES password, that will be recodified by the server. So without a valid account, nobody would be able to retrieve the original links, so security is guaranteed. The idea behind ELC is similar to the DLC, with the difference that DLC is public so anyone can download the links inside a DLC; ELC links will be private so only members of a community will be able to download the links.

ELC links can be found as a file (*.elc extension), or as a mega:// link, with the form "mega://elc?xxx".

For using the ELC, each community has to implement two webpages: (1) one for the user, so he can see the URL, user and API-Key he has to enter into MegaDownloader's configuration, and (2) another to validate the users and encode/decode the data.

Do you want to test ELC by yourself?
Well, first you have to download the test version of MegaDownloader 0.8. Then, you have to go to "Configuration", "ELC accounts", and create a new account with this data:
  1. Alias: Put anything you want, it's just an identificative name.
  2. URL: Put the community's URL for the ELC. For this test, use a demo URL "http://megadownloader.bugs3.com/ELC_Test/elc.php".
  3. User: Put "test".
  4. API-Key: Put "test".




Now you will have configured a "demo" ELC account, so you can download all ELC links generated for this community.

Do you want to try an example? Click on this link, and two files will be added - if you ELC account is correctly configured!
mega://elc?uXAAAACP5miGRF4WTvHQD_irXDUPmt2vLGBkl8suxITWNeXPUku3811CSgPTBkmqRL2Iw3PD4cp3Fyx5oDGZ0ESCkVlSYcS2WLDnCCGF095m5XGj-JAfpN63So4CzKXYZGJDXQ3QQ4v4--nrYoXqpjJZjn7BMABodHRwOi8vbWVnYWRvd25sb2FkZXIuYnVnczMuY29tL0VMQ19UZXN0L2VsYy5waHBAAGFPYkppTEUvK01acDI5cTVGZW81VkdkWVBUSExsWEhTSXM0cGx4eG5vK2F4SlhKVHFFYVUzVkhSZmdENEswcDI

A detailed article will explain it in depth, but meanwhile you can take a look at the source code of the demo page, available here. The encode/decode process is fully implemented (just change the password) but you will have to implement the user's validation.
Two fields will be sent on each petition: user and API-Key. The API-Key should be a code that identifies the user and only he should know it. For security, it should not be the user's password, but something like the hash of the nick + the hashed password stored in your DB, and should be shown on the first page we have commented (where the user sees the URL, user and API-Key, so he can configure MegaDownloader).

Conclusion
MegaDownloader and MegaUploader supports 3 types of mega:// links, with different levels of security, in order to use comfortably MegaDownloader and protect your Mega links :)


Link typeLink protectionCopy protection
Plain linksNoneNone
Encoded linksMediumNone
ELC linksHighHigh