{"id":780,"date":"2008-07-22T18:31:35","date_gmt":"2008-07-22T18:31:35","guid":{"rendered":"https:\/\/www.docbug.com\/blog\/archives\/780"},"modified":"2008-07-22T18:31:35","modified_gmt":"2008-07-22T18:31:35","slug":"why-are-secret-urls-security-through-obscurity","status":"publish","type":"post","link":"https:\/\/www.docbug.com\/blog\/archives\/780","title":{"rendered":"Why are secret URLs &#8220;security through obscurity&#8221;?"},"content":{"rendered":"<p>Yesterday&#8217;s InformationWeek had <a href=\"http:\/\/www.informationweek.com\/news\/mobility\/security\/showArticle.jhtml?articleID=209101313\">an article<\/a> about how cellphone pictures sent via MMS (Multimedia Messaging Service) by customers of U.K. mobile network Operator O2 are winding up available via Google search pages. The article,  titled <em>Picture Leak: O2&#8217;s Security Through Obscurity Can&#8217;t Stop Google<\/em>, explains that O2 provides a fallback for customers who try to send photos from their cellphone to cellphones that don&#8217;t support MMS, namely they post the photos online and then send the recipient a URL to the picture via email. For security, each URL includes a 16-hex-digit (64-bit) hex digit message ID. The <em>&#8220;problem&#8221;<\/em>, as they breathlessly explain it, is that some of these URLs are getting indexed by Google, and can be discovered by performing a search with the <a href=\"http:\/\/www.google.com\/search?q=inurl:mms2legacy+site:o2.co.uk&#038;hl=en&#038;filter=0\"><em>inurl:<\/em><\/a> search type.<\/p>\n<p>The whole thing is much ado about nothing \u2014 <a href=\"http:\/\/www.mattcutts.com\/blog\/toolbar-indexing-debunk-post\/\">further investigation<\/a> shows that the reason a handful of these &#8220;secret&#8221; URLs wound up in Google is that people were using MMS to post photos directly to their <a href=\"http:\/\/1000milesdown.blogspot.com\/2008\/04\/day-3-foyers-connell-84-miles.html\">public<\/a> <a href=\"http:\/\/semaj.groupee.com\/displaystory\/content\/76710305859384626\">photo<\/a>&#8211;<a href=\"http:\/\/my.opera.com\/Lilbox\/about\/\">blogs<\/a>. While it&#8217;s not the case here, I do have to wonder at the charge that secret URLs are somehow just <a href=\"http:\/\/en.wikipedia.org\/wiki\/Security_through_obscurity\"><em>security through obscurity<\/em><\/a>, which usually refers to a system that is secure only as long as its design or implementation details remain secret. That&#8217;s not the case here \u2014 even a modest 16-hex-digit ID is about as difficult to guess as a random ten-character password containing numbers and upper &#038; lowercase letters. What <em>can<\/em> be a risk is that people and programs are used to URLs being public knowledge, and so sometimes they aren&#8217;t safeguarded as well as one might safeguard, say, his bankcard PIN number. On the plus side, unguessable URLs can easily be made public when it&#8217;s appropriate, for example when posting to your photo blog from your O2 cellphone. Now if only we could selectively prevent clueless reporters trying to write scare-stories from finding them&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday&#8217;s InformationWeek had <a href=\"http:\/\/www.informationweek.com\/news\/mobility\/security\/showArticle.jhtml?articleID=209101313\">an article<\/a> about how cellphone pictures sent via MMS (Multimedia Messaging Service) by customers of U.K. mobile network Operator O2 are winding up available via Google search pages. The article,  titled <em>Picture Leak: O2&#8217;s Security Through Obscurity Can&#8217;t Stop Google<\/em>, explains that O2 provides a fallback for customers who try to send photos from their cellphone to cellphones that don&#8217;t support MMS, namely they post the photos online and then send the recipient a URL to the picture via email. For security, each URL includes a 16-hex-digit (64-bit) hex digit message ID. The <em>&#8220;problem&#8221;<\/em>, as they breathlessly explain it, is that some of these URLs are getting indexed by Google, and can be discovered by performing a search with the <a href=\"http:\/\/www.google.com\/search?q=inurl:mms2legacy+site:o2.co.uk&#038;hl=en&#038;filter=0\"><em>inurl:<\/em><\/a> search type.<\/p>\n<p>The whole thing is much ado about nothing \u2014 <a href=\"http:\/\/www.mattcutts.com\/blog\/toolbar-indexing-debunk-post\/\">further investigation<\/a> shows that the reason a handful of these &#8220;secret&#8221; URLs wound up in Google is that people were using MMS to post photos directly to their <a href=\"http:\/\/1000milesdown.blogspot.com\/2008\/04\/day-3-foyers-connell-84-miles.html\">public<\/a> <a href=\"http:\/\/semaj.groupee.com\/displaystory\/content\/76710305859384626\">photo<\/a>&#8211;<a href=\"http:\/\/my.opera.com\/Lilbox\/about\/\">blogs<\/a>. While it&#8217;s not the case here, I do have to wonder at the charge that secret URLs are somehow just <a href=\"http:\/\/en.wikipedia.org\/wiki\/Security_through_obscurity\"><em>security through obscurity<\/em><\/a>, which usually refers to a system that is secure only as long as its design or implementation details remain secret. That&#8217;s not the case here \u2014 even a modest 16-hex-digit ID is about as difficult to guess as a random ten-character password containing numbers and upper &#038; lowercase letters. What <em>can<\/em> be a risk is that people and programs are used to URLs being public knowledge, and so sometimes they aren&#8217;t safeguarded as well as one might safeguard, say, his bankcard PIN number. On the plus side, unguessable URLs can easily be made public when it&#8217;s appropriate, for example when posting to your photo blog from your O2 cellphone. Now if only we could selectively prevent clueless reporters trying to write scare-stories from finding them&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[15],"tags":[],"class_list":["post-780","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts\/780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/comments?post=780"}],"version-history":[{"count":0,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts\/780\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/media?parent=780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/categories?post=780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/tags?post=780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}