Conversation

How secure are URLs with random strings appended to a stem (generated as hashes of content?) and kept secret, but otherwise not secured? Is it like low probability hash collisions? Could a crawler brute-force sensitive content at a useful rate to be worth it to an attacker?
15
25
Replying to
I’ve instinctively avoided putting anything sensitive on services that use this mechanism, which is why I’ve primarily used Roam for text, which is encrypted, and for images only when I don’t care if it goes public
4
4
Replying to
Since all Firebase Storage URLs are https, you can't get it from packet sniffing (URLs are encrypted in transit). Unguessable URLs are a common security pattern (e.g. Google Photos) and the entropy of their randomness is high enough that brute forcing is not generally feasible.
Replying to
I think there is a zero/low risk of packet sniffing since URLs are transmitted over TLS (HTTPS). However, some malicious browser extensions could intercept and phone home these URLs.