52

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?

For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Dexter
  • 6,170
  • 18
  • 74
  • 101
  • 1
    I'm tempted to write a long answer, but since I'm short on time, I'll just say, listen to @Michael Irigoyen. There are many ways, some clever and some brute-force, by which this scheme can be exploited. Just... don't do it. – Michael Petrotta Jan 28 '11 at 21:43
  • 15
    URIs are for resource identification and not for access authorization. – Gumbo Jan 28 '11 at 21:53
  • 4
    The URL will end up in your log files (who has access to them?), your configuration files, probably in your browser bookmarks, your backup files, etc. and then... you forget about them (they're not as security relevant as a passwor database, are they?) - until somebody finds them for you. – Chris Lercher Jan 28 '11 at 21:59
  • Yeah, the idea came to me, because I was using a different authentication module, in place of the default authentication module. And the secret URL would be my own backdoor for logging in the default-way, if the new authentication service went down. But I know it wouldn't be secure--well as secure as the default system is. – Dexter Jan 28 '11 at 22:08
  • 2
    I was looking for more depth than this question or its answers provided. I started a new question, [How can I generate a "private URL" with state of the art balance between security and convenience?][new question] rather than trying to expand the scope of this one. [new question]: http://stackoverflow.com/q/12479398/168740 – Matt McClure Sep 18 '12 at 14:48
  • 5
    @Gumbo Facebook, Dropbox and Google Drive each offer an 'anyone with the link' sharing permission, used by millions of people to keep documents confidential among their correspondents. This is popularly assumed to be secure (given the websites are HTTPS.) A satisfactory answer should acknowledge this. – Colonel Panic Oct 14 '16 at 10:33

9 Answers9

102

The reason using a "secret URL" is usually insecure is not because it is "security through obscurity". In information theory, a secret URL is no different than a password or private key. Are passwords and private keys considered a poor practice because they are "security through obscurity"? No.

So what's the difference between a hard-to-guess URL and a hard-to-guess password?

The difference is in the myriad of insecure places and ways that URLs are stored, displayed, and transmitted. Examples:

  1. In web browser address bars, histories, and caches*
  2. HTTP Referer headers sent to other sites*
  3. In web server access logs*
  4. In proxy and layer 7 firewall access logs
  5. In packet dumps
  6. In web stats traffic reports (e.g. AWStats, Google Analytics)*

HTTPS can protect some of these, but not all of them (items marked with a * are not protected against by using HTTPS.)

In a highly controlled environment, hard-to-guess URLs can be secure. But when using common web browsers, web servers and web frameworks, hard-to-guess URLs should not be relied upon unless no other option exists (and even then you should consider carefully).

Mike Clark
  • 10,027
  • 3
  • 40
  • 54
  • What if the URL has a ?token=abc on it? Like GitHub does automatically when looking at a file in a private repo. – Travis Reeder Apr 28 '15 at 23:14
  • 1
    Anything following '?' is considered a parameter, and all the points of exposure associated with a URL apply to the parameters as well (including HTTP Referer headers). – Chris Betti Jul 06 '15 at 20:51
34

Original Answer: Security through obscurity is something that should never be practiced.

I'd like to expand on this, as I see some argument is still being made that a secret URL is no different than a password. I would highly disagree with that comparison. A secret URL and a password do share one similar characteristic: they are known to one or more specific person/people. That is where the similarity ends.

Strength of Passwords

  • Making a password out of a series of random words makes the password very strong and very hard to guess or brute force.

  • A password has to be coupled with a user name, which also can increase security if the user name is not common.

  • User name and password combinations are not statically shown on the screen, nor stored anywhere in the browser (unless you chose to have your browser "save" your login credentials).

  • Passwords can be changed in the case of a breach without the need to change the entry-point into the system.

  • Good password systems don't store them in plain-text on the filesystem.

Weakness of Secret URL

  • Unless used in "Incognito", "Private", etc. mode, the URL will be stored in your local history/cache.

  • URLs are shown in the browser window and can be privy to wandering eyes.

  • If the secret URL is compromised, you have to change it and notify anyone using it.

  • The URL exists in plain text on the server somewhere, whether as real directory/files or as a rewrite (however, a rewrite could be down at a much higher level).

  • Everything else that @Mike Clark has mentioned in his answer.

What it really comes down to:

  • Secret URLs are only practicing security through obscurity. That's it.

  • Passwords may be obscured information by definition, but the extra efforts, precautions, and safeguards taken around passwords adds a level of security on top of it all. In other words, passwords are layered and are practicing security through other means in addition to obscurity. This, in turn, makes them a better choice than a simple obscured URL.

Recommendation: Use both a "secret" URL and a very strong user name/password combination. Don't rely on JUST a "secret" URL.

Never practice security using obscurity as the only safeguard.

Community
  • 1
  • 1
Michael Irigoyen
  • 22,513
  • 17
  • 89
  • 131
  • That's exactly the phrase I was going to use in my response. – Phrogz Jan 28 '11 at 21:42
  • 19
    I think sometimes this phrase is taken out of context (but not in this case.) Passwords are secure because they are obscure, the same with cryptographic keys. If theses were open, clear and freely available these security tools would be worthless. If you can guarantee that your resource is obscure, AND you have a mechanism in place to measure and respond to attempts at accessing this resource, then you aren't in any different situation than using a username / password. For example, if after three incorrect URL requests, you blacklist an IP, you have basically implemented a password system. – Brian Stinar Jan 28 '11 at 21:50
  • 2
    This isn't a good idea to do in this case though. I think Michael Irigoyen has the right answer to your question. – Brian Stinar Jan 28 '11 at 21:51
  • 1
    I agree with your philosophy and practice it often, but my main curiosity was about whether there was a way for a malicious user to find out and what tools they would use. And as Brian Stinar mentioned, sometimes obfuscation can be an aid, as long as you don't depend on it. For example, let's say you have a desktop application, and then you use that application to connect to a remote database. Well, you will need to obfuscate through cryptography, not only your own source code but also the transmission of the authentication to the database. – Dexter Jan 28 '11 at 22:03
  • 29
    -1 For misuse of the term "security through obscurity." The obscurity referred to in that term is the obscurity of the algorithm, not the obscurity of a strong password, key, or secret. – Mike Samuel Jul 22 '11 at 00:51
  • 6
    All security is through obscurity. A URL is simply insufficiently obscure (compared to, say, a password) – Mark Sowul May 14 '12 at 16:47
  • 2
    Security Through Obscurity hides a mechanism or implementation details - that is the difference to an open architecture that works with secret pass phrases only. It's a theoretical concept not really helpful here. So if you state on the website "there exist secret URLs" it's not STO, but if you don't, it arguably is. – weiglt Sep 13 '13 at 08:04
  • @MarkSowul, That depends solely on how you manage it. You say a password is sufficiently obscure, yet What if I google my password? Wouldn't it appear in my browsing history then, making it no more obscure than a URL? – Pacerier Mar 08 '14 at 18:44
  • @Pacerier I think it's safe to assume that the OP is not looking to intentionally undermine the integrity of their system. – chrnola Mar 10 '14 at 15:14
  • I felt like I should expand on my answer. I probably should have expanded on it years ago! Using just a "secret" URL **is** security through obscurity. Obscurity means, by definition, "the state of being unknown". That should not be practiced as the only means of security. It, however, can be coupled with other security means, such as a strong username/password combination. – Michael Irigoyen Mar 10 '14 at 16:16
  • @MichaelIrigoyen, all the weaknesses of secret URLs you cite cease to exist once we ensure that the secret URL is an OTP. – Pacerier Mar 15 '14 at 10:49
  • @chrnola, If you are not looking to intentionally undermine the integrity of the system, than a properly-managed OTP secret URL *is* just as secure as a normal password. – Pacerier Mar 15 '14 at 10:50
  • 1
    @MichaelIrigoyen you're perpetuating a confusion about the point the author of the "security through obscurity" quote was trying to make. Obscurity refers to obscurity of the implementation. e.g a system securing information behind one-time 128 bit random URLs is *very* secure, even if you publish the implementation details. Why not separate your argument about the wisdom of a URL approach from this quote to reduce confusion :)? – timruffs Apr 21 '15 at 09:03
  • this answer conveys a deep misunderstanding of security, and the definition of "obscurity". This is the correct answer: http://stackoverflow.com/a/6784690/291180 – Travis Webb Jan 22 '17 at 18:00
10

I'd say if you're careful they can be secure. The biggest security hole would be the people using it. It will be unintentionally shared or posted somewhere Google will index it. Design for that, and use it appropriately - like the Google docs "Anyone with this link" sharing method.

  1. Use HTTPS

Stops the URL being sent in plaintext

Doesn't set referrer headers if they click a HTTP link

  1. If people access your secret URL via HTTP, warn them and immediately change it

  2. It's not security through obscurity - that's a misunderstanding of the normal use of the phrase.

"A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them."

In contrast here you're being open about implementation and design.

I don't see that this is less secure than the average password when used with a long secret URL (64 characters anyone? 2000 - domain_length?), in combination with a tar-pit.

I'm planning to use it in an app where I feel people will value simplicity above security.

Community
  • 1
  • 1
timruffs
  • 910
  • 8
  • 9
8

It's not secure.

For HTTP traffic your secret URL would effectively be public as soon as you use it. Without any password protection an eavesdropper listening to your network traffic could see the URL you send and then visit the same page.

Mark Byers
  • 811,555
  • 193
  • 1,581
  • 1,452
  • 15
    They would be encrypted when using HTTPS. – Gumbo Jan 28 '11 at 21:46
  • 5
    @Gumbo: Yeah, that's an excellent point +1. I guess you *could* use HTTPS to keep the URL secret, however it's still a bad idea IMHO. Imagine if you accidentally forget to type the 's' on https... oops! – Mark Byers Jan 28 '11 at 21:53
  • Well first of all they'd have to sort through all the urls used and how often do people just sit on a network listening to all the URLs you visit. Usually they look for certain things, like .gov links, or HTTP authentication transmissions, POST/GET data--right? Just playing devil's advocate, I agree with your concern. – Dexter Jan 28 '11 at 22:05
  • @Dexter: Even if no-one is actively listening, the chances are that the URLs for all the pages you visit are going to be logged in multiple databases. For example ISPs in many countries are required by law to log what their customers are doing when online, and in those countries where it's not required I bet many do it anyway. – Mark Byers Jan 28 '11 at 22:09
  • That would seem like a rare case. But I guess even rare cases happen. – Dexter Jan 28 '11 at 22:11
  • 10
    Another very nice variation of this: If the page contains a link to an external site (say, google.com), then a click on that link sends the "secret" URL via the "Referer" header (directly to Google). – Chris Lercher Jan 28 '11 at 22:13
  • You are implementing the same idea here as "don't send your password over in plaintext." If you are going to implement a password system, why not just use an existing password system? We are getting into all the possible ways to make your idea secure, and they are issues that authentication systems deal with. So, why not use an existing authentication system? – Brian Stinar Jan 28 '11 at 22:34
  • @ChrisLercher, except the "Referer" header would be blank when using HTTPS. And if you are using HTTP, the point is moot, since then nothing will be secure anyway. – Pacerier Mar 08 '14 at 18:37
7

Not good idea because:

  1. Someone may reveal your url be gaining local access to your system/database/application
  2. Someday some administrator will put your access log files public and google will find them.
  3. You will migrate/upgrade something in your server setup and will forgot to protect/hide those urls
Ivailo Bardarov
  • 3,775
  • 1
  • 28
  • 25
7

The Waterken web server is a web platform designed by the security folk at HP research around secret (specifically cryptographically unguessable) URLs.

Applications built on it have some very interesting security properties as a result.

Done right, cryptographically strong secret URLs can provide high levels of security.

ACLs Don't is a paper from the waterken team on their security architecture.

Comparing the suggested defense to the capability based solution for the compilation scenario, and again assuming a Unix-like system: the URL is like the filename; and the unguessable token is like a file descriptor, approximating the unforgeability of a capability with unguessability. A legitimate page from the stock broker’s Web site first opens the stock purchase resource, receiving an unguessable secret. The browser then uses this unguessable secret to write to the stock purchase resource.

Mike Samuel
  • 118,113
  • 30
  • 216
  • 245
2

this is actually a pretty reasonable idea IF you use a large, and randomly generated url. there are many systems that actually work like this already. for example, in google docs, you can create a link that anyone with that link can edit the document. It's long enough that you could never feasibly guess that link. Also, password reset links are basically this, except they are (hopefully) only usable once. (see below)

You'll need to ensure that the secret is not leaked. That means using https, not logging accesses, or returning the secret in other api calls.

That said, as many above commenters mention, a URL is stored all sorts of insecure places on your computer, but if an adversary has access to your computer you are already screwed. It's pretty typical to assume that your end user device is secure.

Also, any secret is only secret inversely proportional to how many people know it. It may be tempting to share a url with other people who require access. A much better system might be to make each URL work once, but add a cookie to the user's browser, which is the actual token. Basically, just like a password reset flow/email confirm flow, except without passwords.

dominic
  • 571
  • 4
  • 7
1

Guessing an ascii hex string corresponding to 16 bytes presents a challenge of guessing a 128 bit AES key - which is considered impossible.

AWS
  • 11
  • 1
-1

would that be somehow discovered by a third party without getting the information from me? For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

Yes. You are thinking of the threat as a human being sitting at a computer typing the URL into their browser. The reality is that attackers use automated programs that perform reconnaissance on systems and use that information to attempt a variety of attacks. Trying random URLs has little cost for an automated system than can produce hundreds of HTTP requests per second. Second as others have noted, once you use the URL it is no longer secret. Those automated programs listen to internet traffic and collect URLs to attempt attacks on. The fact that only you know the URL means that no other person can divulge its value. It does not prevent technical means from divulging the value.

this.josh
  • 663
  • 9
  • 21
  • 3
    You are suggesting brute force, which obviously wouldn't work if the URL is long enough. It's the exact same reason why you can't brute force a long enough password even if you amass a billion billion computers each able to try a billion billion times per nanosecond. – Pacerier Mar 08 '14 at 18:43