

Ask HN: Do Parse's secret URLs provide reasonable security? - kabell

I am considering using Parse for a web/mobile app, and it appears that they use "secret urls" as the primary security measure for accessing parse files. Obviously this isn't SUPER secure, but it does seem to be a fairly common way to limit access to, say "private photos" (e.g. flickr does it). Would you consider this "commercially reasonable" attempt to protect private data?
======
hnwebservices
This method seems fine for protecting data as far as I can tell.

I would definitely recommend using https though because only the hostname is
sent in plain text, the URL should be fully encrypted in an https request.

On the other hand, I'm not sure how reasonable this method is from a liability
perspective. If a client accidentally forwards a secure url to someone who
causes them to lose money, then there might be a chance that you could be
liable for not securing your product effectively.

------
logn
There might be more attack vectors with this, but generating a long random
string is the basis of a lot of security mechanisms.

