{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 神经病院院长 的问题《Are secret URLs truly secure?》','https://www.manongdao.com/q-184406.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?
For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?
I'd say if you're careful they can be secure. The biggest security hole would be the people using it. It will be unintentionally shared or posted somewhere Google will index it. Design for that, and use it appropriately - like the Google docs "Anyone with this link" sharing method.
Use HTTPS
Stops the URL being sent in plaintext
Doesn't set referrer headers if they click a HTTP link
If people access your secret URL via HTTP, warn them and immediately change it
It's not security through obscurity - that's a misunderstanding of the normal use of the phrase.
In contrast here you're being open about implementation and design.
I don't see that this is less secure than the average password when used with a long secret URL (64 characters anyone? 2000 - domain_length?), in combination with a tar-pit.
I'm planning to use it in an app where I feel people will value simplicity above security.
this is actually a pretty reasonable idea IF you use a large, and randomly generated url. there are many systems that actually work like this already. for example, in google docs, you can create a link that anyone with that link can edit the document. It's long enough that you could never feasibly guess that link. Also, password reset links are basically this, except they are (hopefully) only usable once. (see below)
You'll need to ensure that the secret is not leaked. That means using https, not logging accesses, or returning the secret in other api calls.
That said, as many above commenters mention, a URL is stored all sorts of insecure places on your computer, but if an adversary has access to your computer you are already screwed. It's pretty typical to assume that your end user device is secure.
Also, any secret is only secret inversely proportional to how many people know it. It may be tempting to share a url with other people who require access. A much better system might be to make each URL work once, but add a cookie to the user's browser, which is the actual token. Basically, just like a password reset flow/email confirm flow, except without passwords.