How secure are URLs with random strings appended to a stem (generated as hashes of content?) and kept secret, but otherwise not secured? Is it like low probability hash collisions? Could a crawler brute-force sensitive content at a useful rate to be worth it to an attacker?
Conversation
Thinking of the security-through-obscurity model like what uses for images, where uploads are stored at URLs with stems at firebasestorage.googleapis.com
I’ve seen it elsewhere too, so seems to be a common strategy
2
1
6
To be clear I don’t know how firebase storage works. I’m guessing.
3
2
Hmm. You actually wouldn’t need to brute force if you had local access. Packet-sniffing at a router close to a target should just give you the urls right?
Replying to
I’ve instinctively avoided putting anything sensitive on services that use this mechanism, which is why I’ve primarily used Roam for text, which is encrypted, and for images only when I don’t care if it goes public
4
4
Replying to
Since all Firebase Storage URLs are https, you can't get it from packet sniffing (URLs are encrypted in transit).
Unguessable URLs are a common security pattern (e.g. Google Photos) and the entropy of their randomness is high enough that brute forcing is not generally feasible.
Replying to
I think there is a zero/low risk of packet sniffing since URLs are transmitted over TLS (HTTPS). However, some malicious browser extensions could intercept and phone home these URLs.



