Are secret URLs truly secure?

Question

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was on

Answer 1

I'd say if you're careful they can be secure. The biggest security hole would be the people using it. It will be unintentionally shared or posted somewhere Google will index it. Design for that, and use it appropriately - like the Google docs "Anyone with this link" sharing method.

1. Use HTTPS

   Stops the URL being sent in plaintext

   Doesn't set referrer headers if they click a HTTP link

2. If people access your secret URL via HTTP, warn them and immediately change it

3. It's not security through obscurity - that's a misunderstanding of the normal use of the phrase.

   "A system relying on security through obscurity may have theoretical or actual security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them."

   In contrast here you're being open about implementation and design.

   I don't see that this is less secure than the average password when used with a long secret URL (64 characters anyone? 2000 - domain_length?), in combination with a tar-pit.

I'm planning to use it in an app where I feel people will value simplicity above security.