Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Posted Apr 15, 2016 9:06 UTC (Fri) by epa (subscriber, #39769)
In reply to: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker) by DOT
Parent article: Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

That's what I am saying. Treating the URI as a password and trying to keep it 'secret' is a flawed approach. Accept that the URI can be found out by anyone who does a bit of digging, and if you have sensitive information to protect, use a password or other authentication to protect it.

A longer URI would be harder to find by brute force, but that is only a sticking plaster for the problem, since it will still turn up in Referer: headers and so on.

That said, it is certainly true that the insecure approach is usually the more convenient one, and passing around URIs which don't require any further login details is always going to beat any other approach in convenience. So a sticking plaster may be the best we can do at the moment. If everyone in the world had a Google account then it would be trivial to 'share these driving directions with the following users...' but, thank goodness, the world is more messy than that.

Gone In Six Characters: Short URLs Considered Harmful for Cloud Services (Freedom to Tinker)

Posted Apr 15, 2016 11:10 UTC (Fri) by alonz (subscriber, #815) [Link]

It actually is quite common to have a URI act as a password: just look e.g. at the URIs for Google photos.

And there is good reason for this practice—it enables the photo owner to share it with friends without them having to sign in. So sure, it's limited (if the URI leaks, it's usable by anyone) but it is a valid trade-off.