Hacker News new | comments | ask | show | jobs | submit login

It's hard to believe so many people consider the use of shortened URLs a security measure. It is not, and was never intended to be. A URL is exposed, by definition, whether long or shortened. A shortened URL is a convenience, not a security tool. Some people misuse base64 encoding for "security" as well, but it does not mean we should get rid of base64 encoding.



Nobody was using shortened URLs with the intention of creating security (as a security measure). Rather, they were ignorant of the way shortened URLs degrade security. Different thing.


URLs aren't secrets.


Why not, if you've tried to keep it secret? They're an incredibly common means of giving out things to a limited set of people without having to explicitly authenticate them. They're used by a lot of mailing lists for e.g. unsubscribe links. If there's enough entropy and they're once-only it's a reasonable approach.

Otherwise you end up with people just sending around "go to this url with this login and password" through email and chat instead, which is slightly harder to automatically exploit but not really more secure.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: