How secure are URLs with random strings appended to a stem (generated as hashes of content?) and kept secret, but otherwise not secured? Is it like low probability hash collisions? Could a crawler brute-force sensitive content at a useful rate to be worth it to an attacker?
Conversation
Thinking of the security-through-obscurity model like what uses for images, where uploads are stored at URLs with stems at firebasestorage.googleapis.com
I’ve seen it elsewhere too, so seems to be a common strategy
2
1
6
To be clear I don’t know how firebase storage works. I’m guessing.
3
2
Hmm. You actually wouldn’t need to brute force if you had local access. Packet-sniffing at a router close to a target should just give you the urls right?
5
4
I’ve instinctively avoided putting anything sensitive on services that use this mechanism, which is why I’ve primarily used Roam for text, which is encrypted, and for images only when I don’t care if it goes public
4
4

