Hacker News new | past | comments | ask | show | jobs | submit login

Surprisingly, it turns out that using security based on a URL with a random string is /not/ security by obscurity.

The security pattern of a URL with a random string is security-equivalent to a pubic username and a random string password, and also equivalent to the security pattern of a bearer token: so long as the URL is shared only with authorized users, it's the same security hardness.

The pattern can tune the security by using more randomness, such as more characters. There are implementation areas to consider, such choosing a random number generator with high quality randomness like /dev/urandom. There are some access control areas to consider, such as all the people having the same bearer token, which means there's no way to do finer-grained permissions per-user or per-role or per-attribute. There are some user interface areas to consider, such as if a user/agent doesn't treat the URL as secret, because it shows content rather than masking characters such as "*".

For comparison, "security by obscurity" means there's a weakness in how the security is built, such that if you saw the source code, or the physical insides of a lock, then you would understand more about how to crack the security.

In URL pattern, an example of security by obscurity would be if the URL string was not actually random but instead was simply incrementing, or was based on a reversible function of the time or username, etc. If you read the source code, you would discover that there's guessable sequence or guessable trick, and thus become much more likely to break the security.

Edit: I strongly favor higher security, and fine-grained access control, and multi-factor authentication, and UI/UX masking, etc. This post is just to look at security by obscurity.

Browsers do not treat URLs as secure. If you just go to the page and happen to be live-streaming on Twitch or whatever, anyone can access the document because the information is printed visibly on the screen. This makes it starkly different from a password.

And if you type your password onto a keyboard and happen to be live-streaming your physical self on Twitch or whatever from an angle where people can see your hands, they know your password too.

I did not know this distinction, thank you, it makes sense!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact