Are secret URLs truly secure?

Question

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was on

Answer 1

Guessing an ascii hex string corresponding to 16 bytes presents a challenge of guessing a 128 bit AES key - which is considered impossible.

Answer 2

this is actually a pretty reasonable idea IF you use a large, and randomly generated url. there are many systems that actually work like this already. for example, in google docs, you can create a link that anyone with that link can edit the document. It's long enough that you could never feasibly guess that link. Also, password reset links are basically this, except they are (hopefully) only usable once. (see below)

You'll need to ensure that the secret is not leaked. That means using https, not logging accesses, or returning the secret in other api calls.

That said, as many above commenters mention, a URL is stored all sorts of insecure places on your computer, but if an adversary has access to your computer you are already screwed. It's pretty typical to assume that your end user device is secure.

Also, any secret is only secret inversely proportional to how many people know it. It may be tempting to share a url with other people who require access. A much better system might be to make each URL work once, but add a cookie to the user's browser, which is the actual token. Basically, just like a password reset flow/email confirm flow, except without passwords.

Answer 3

Not good idea because:

1. Someone may reveal your url be gaining local access to your system/database/application
2. Someday some administrator will put your access log files public and google will find them.
3. You will migrate/upgrade something in your server setup and will forgot to protect/hide those urls

Answer 4

The Waterken web server is a web platform designed by the security folk at HP research around secret (specifically cryptographically unguessable) URLs.

Applications built on it have some very interesting security properties as a result.

Done right, cryptographically strong secret URLs can provide high levels of security.

ACLs Don't is a paper from the waterken team on their security architecture.

Comparing the suggested defense to the capability based solution for the compilation scenario, and again assuming a Unix-like system: the URL is like the filename; and the unguessable token is like a file descriptor, approximating the unforgeability of a capability with unguessability. A legitimate page from the stock broker’s Web site first opens the stock purchase resource, receiving an unguessable secret. The browser then uses this unguessable secret to write to the stock purchase resource.

Answer 5

It's not secure.

For HTTP traffic your secret URL would effectively be public as soon as you use it. Without any password protection an eavesdropper listening to your network traffic could see the URL you send and then visit the same page.

Answer 6

would that be somehow discovered by a third party without getting the information from me? For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

Yes. You are thinking of the threat as a human being sitting at a computer typing the URL into their browser. The reality is that attackers use automated programs that perform reconnaissance on systems and use that information to attempt a variety of attacks. Trying random URLs has little cost for an automated system than can produce hundreds of HTTP requests per second. Second as others have noted, once you use the URL it is no longer secret. Those automated programs listen to internet traffic and collect URLs to attempt attacks on. The fact that only you know the URL means that no other person can divulge its value. It does not prevent technical means from divulging the value.