Are secret URLs truly secure?

The reason using a "secret URL" is usually insecure is not because it is "security through obscurity". In information theory, a secret URL is no different than a password or private key. Are passwords and private keys considered a poor practice because they are "security through obscurity"? No.

So what's the difference between a hard-to-guess URL and a hard-to-guess password?

The difference is in the myriad of insecure places and ways that URLs are stored, displayed, and transmitted. Examples:

  1. In web browser address bars, histories, and caches*
  2. HTTP Referer headers sent to other sites*
  3. In web server access logs*
  4. In proxy and layer 7 firewall access logs
  5. In packet dumps
  6. In web stats traffic reports (e.g. AWStats, Google Analytics)*

HTTPS can protect some of these, but not all of them (items marked with a * are not protected against by using HTTPS.)

In a highly controlled environment, hard-to-guess URLs can be secure. But when using common web browsers, web servers and web frameworks, hard-to-guess URLs should not be relied upon unless no other option exists (and even then you should consider carefully).


Original Answer: Security through obscurity is something that should never be practiced.


I'd like to expand on this, as I see some argument is still being made that a secret URL is no different than a password. I would highly disagree with that comparison. A secret URL and a password do share one similar characteristic: they are known to one or more specific person/people. That is where the similarity ends.

Strength of Passwords

  • Making a password out of a series of random words makes the password very strong and very hard to guess or brute force.

  • A password has to be coupled with a user name, which also can increase security if the user name is not common.

  • User name and password combinations are not statically shown on the screen, nor stored anywhere in the browser (unless you chose to have your browser "save" your login credentials).

  • Passwords can be changed in the case of a breach without the need to change the entry-point into the system.

  • Good password systems don't store them in plain-text on the filesystem.

Weakness of Secret URL

  • Unless used in "Incognito", "Private", etc. mode, the URL will be stored in your local history/cache.

  • URLs are shown in the browser window and can be privy to wandering eyes.

  • If the secret URL is compromised, you have to change it and notify anyone using it.

  • The URL exists in plain text on the server somewhere, whether as real directory/files or as a rewrite (however, a rewrite could be down at a much higher level).

  • Everything else that @Mike Clark has mentioned in his answer.

What it really comes down to:

  • Secret URLs are only practicing security through obscurity. That's it.

  • Passwords may be obscured information by definition, but the extra efforts, precautions, and safeguards taken around passwords adds a level of security on top of it all. In other words, passwords are layered and are practicing security through other means in addition to obscurity. This, in turn, makes them a better choice than a simple obscured URL.

Recommendation: Use both a "secret" URL and a very strong user name/password combination. Don't rely on JUST a "secret" URL.

Never practice security using obscurity as the only safeguard.

Tags:

Security

Url