How secure are URLs with random strings appended to a stem (generated as hashes of content?) and kept secret, but otherwise not secured? Is it like low probability hash collisions? Could a crawler brute-force sensitive content at a useful rate to be worth it to an attacker?
Conversation
Thinking of the security-through-obscurity model like what uses for images, where uploads are stored at URLs with stems at firebasestorage.googleapis.com
I’ve seen it elsewhere too, so seems to be a common strategy
2
1
6
To be clear I don’t know how firebase storage works. I’m guessing.
3
2
Hmm. You actually wouldn’t need to brute force if you had local access. Packet-sniffing at a router close to a target should just give you the urls right?
5
4
I’ve instinctively avoided putting anything sensitive on services that use this mechanism, which is why I’ve primarily used Roam for text, which is encrypted, and for images only when I don’t care if it goes public
Replying to
Basecamp used to have S3 URLs with temporary keys for access. Anything less than that seems lax for sensitive data.
Replying to
Try opening the aws links from incognito. I've found most platforms require layer of authentication but ymmv
1
Replying to
I think that's a valid attack vector. For a large enough hash, it's impractical to scan the address space. But sniffing the used hashes seems likely.




