发表新帖
发表新帖

Are secret URLs truly secure?

前端 未结
关注
9 2125
挽巷
挽巷 2020-12-13 02:11

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was on

9条回答
  • -上瘾入骨i
    -上瘾入骨i (楼主)
    2020-12-13 02:56

    Original Answer: Security through obscurity is something that should never be practiced.

    I'd like to expand on this, as I see some argument is still being made that a secret URL is no different than a password. I would highly disagree with that comparison. A secret URL and a password do share one similar characteristic: they are known to one or more specific person/people. That is where the similarity ends.

    Strength of Passwords

    • Making a password out of a series of random words makes the password very strong and very hard to guess or brute force.

    • A password has to be coupled with a user name, which also can increase security if the user name is not common.

    • User name and password combinations are not statically shown on the screen, nor stored anywhere in the browser (unless you chose to have your browser "save" your login credentials).

    • Passwords can be changed in the case of a breach without the need to change the entry-point into the system.

    • Good password systems don't store them in plain-text on the filesystem.

    Weakness of Secret URL

    • Unless used in "Incognito", "Private", etc. mode, the URL will be stored in your local history/cache.

    • URLs are shown in the browser window and can be privy to wandering eyes.

    • If the secret URL is compromised, you have to change it and notify anyone using it.

    • The URL exists in plain text on the server somewhere, whether as real directory/files or as a rewrite (however, a rewrite could be down at a much higher level).

    • Everything else that @Mike Clark has mentioned in his answer.

    What it really comes down to:

    • Secret URLs are only practicing security through obscurity. That's it.

    • Passwords may be obscured information by definition, but the extra efforts, precautions, and safeguards taken around passwords adds a level of security on top of it all. In other words, passwords are layered and are practicing security through other means in addition to obscurity. This, in turn, makes them a better choice than a simple obscured URL.

    Recommendation: Use both a "secret" URL and a very strong user name/password combination. Don't rely on JUST a "secret" URL.

    Never practice security using obscurity as the only safeguard.

    0 讨论(0)
 看不清?
提交回复
热议问题