

FYI: private Github Gists are not as private as you think - franklovecchio

I e-mailed Github concerned about my private Gists being completely insecure, aside from a unique ID that is hard to guess. They responded quickly (+1 Github), though with a response I was afraid of -- security is a tradeoff, essentially (not sure I completely agree, as basic auth isn't THAT hard to implement in an API, and if I wanted to share a Gist, I'd make it non-private).  So, FYI -- if you know the Gist ID, even if it's marked private, you can view it.
======
cheald
This is the standard public/private mechanism for most all pastebin sites.
Private gists are private by the virtue of the fact that the URL is more or
less unguessable. It's not actually authentication-restricted.

For example, pastie does this. Here's a public paste:

<http://pastie.org/3537377>

And I can see the public paste made before mine by decrementing the URL:

<http://pastie.org/3537375>

But I can make a private paste:

<http://pastie.org/private/sd1fh4m2zesdn6nzkpcfa>

And the URL is a value that's likely some sort of ID + salt digest, and has
enough entropy that I couldn't effectively guess any other private URL.

Pastebin sites (Gist included) are specifically for the purpose of sharing
code with other people. It's not intended to be used as a private clipboard
for you to save snippets for later reference, though that's certainly a valid
use of it, as long as you're aware that they aren't actually authentication-
restricted.

~~~
franklovecchio
Interesting. Just because it's standard, doesn't necessarily make it perfect?
I guess I'm just looking for a versioned script repository that's
authenticated and has an easy API to roll credentials. Is it too much to ask!?
:)

------
polemic
This is fairly common practise - for example pastie/pastebin, Skitch, Facebook
- all have 'private' URL options.

I _thought_ it was obvious, but that's only because I immediately understood
the implications of a shareable URL. That's not going to be obvious to
everyone, and GitHub really should change the "[lock icon] Create Private
Gist" to something like "Create Hidden Gist".

"Hidden" implies it's there if you find it. "Private" implies a whole lot
more.

~~~
franklovecchio
Hidden makes a whole lot more sense!

------
thomc
On the one hand if you can argue that someone can guess the unique gist ID,
you could also argue they can guess your Github session ID, in which case
authentication is moot*

On the other hand, because the Gist ID is in the URL, it is more prone to
leaking.

One example: I uploaded a PDF (classification: public) to a web server and
sent the link to a few people. It was not published anywhere, not communicated
outside our group, there were no external links to it, so it could not be
spidered. Couple of days later Google had managed to index it, and it was
getting downloads. How did Google know it existed? Maybe someone used GMail,
maybe they had Google toolbar installed which submits URLs to Google for
indexing, who knows? I noticed Github has blocked Google et al from indexing
all the Gists with robots.txt, which helps.

Either way, probably best to be careful how you handle the "private" Gist
URLs, or just don't use them for super secret information.

*yes session ID is longer, and should have a finite life span, so it may be harder, but the same kind of issue.

------
zackkitzmiller
I thought that was pretty obvious, since you can just share the URL with
anyone, with out any sort of auth.

~~~
franklovecchio
So, ideally, if you "shared" an endpoint, and the Gist was marked "private",
you'd get something standard like "unathenticated". Why else make it private?

