0

Say I own a domain name www.example.com and I'd like to host some resources on it, but being reasonably hidden from the public.

Since a 256 bits has a sufficiently large entropy to prevent an exhaustive traversal, is it correct to consider any URL from my website that contains a hash, as hidden and secured ?

For example if I want to temporarily host a secret item on the domain, I could simply put it at

www.example.com/resources/4D81C2C53B68BFA49CDFD5D641689BA7F35FD668577D7D8F0BB24F8F2822BC8D
  • Crawlers won't be able to find it
  • Malicious users won't be able to find it
  • The URL won't be published anywhere, so search engines won't index it (kinda linked to point 1)
  • It won't be in the sitemap

I'm just wondering if there are any practical applications of that kind of scheme in the real world ?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Arthur Attout
  • 205
  • 2
  • 5
  • As the duplicates explain: it depends on how long the URL is active, how sensitive the info is, how many of these links would be active at once, what threats you are worried about since the URL will be exposed in various places, and how your server handles brute-force guessing. – schroeder Jun 25 '20 at 12:06
  • 1
    Are there examples of such a scheme? Sure, all over the place. Password reset links are a long random string. – schroeder Jun 25 '20 at 12:06

0 Answers0