Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
747 views
in Technique[技术] by (71.8m points)

security - Are secret URLs truly secure?

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?

For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

The reason using a "secret URL" is usually insecure is not because it is "security through obscurity". In information theory, a secret URL is no different than a password or private key. Are passwords and private keys considered a poor practice because they are "security through obscurity"? No.

So what's the difference between a hard-to-guess URL and a hard-to-guess password?

The difference is in the myriad of insecure places and ways that URLs are stored, displayed, and transmitted. Examples:

  1. In web browser address bars, histories, and caches*
  2. HTTP Referer headers sent to other sites*
  3. In web server access logs*
  4. In proxy and layer 7 firewall access logs
  5. In packet dumps
  6. In web stats traffic reports (e.g. AWStats, Google Analytics)*

HTTPS can protect some of these, but not all of them (items marked with a * are not protected against by using HTTPS.)

In a highly controlled environment, hard-to-guess URLs can be secure. But when using common web browsers, web servers and web frameworks, hard-to-guess URLs should not be relied upon unless no other option exists (and even then you should consider carefully).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...