Mongo ObjectID:可以在野外安全使用吗? [英] Mongo ObjectIDs: Safe to use in the wild?

问题描述

我正在设计一个与MongoDB交互的API.

I'm designing an API that interacts with MongoDB.

现在的问题是，使用原始ObjectID查询对象等是否安全.直接使用OID(例如在查询中)时是否会出现任何安全问题，还是应该加密? /在它们离开我的服务器环境之前对其进行解密?

Now the question is, if it is safe to use the raw ObjectID to query for objects etc. Could any security issues arise when using the OIDs directly (e.g. in queries), or should I encrypt/decrypt them before they leave my server environment?

推荐答案

查看BSON对象ID规范

Look at BSON Object ID specification here and you will know if it is safe for you to use.

如果您尝试防止用户从脚本(骗子)发送不同的URL，那么对我来说它的安全性似乎很弱.不会有太多的机器"，"pid"零件组合.如果攻击者可以了解如何插入数据(特别是使用批处理)，则可以计算时间"部分. 'inc'-非常弱.

If you try to protect from users sending different URLs from scripts (fuskators) then it seems for me it has weak security. There won't be too many 'machine', 'pid' part combinations. 'time' part can calculated if attacker can have an idea how data was inserted (especially if using batch). 'inc' - very weak.

我不会相信ObjectID是唯一的安全性.

I won't trust ObjectIDs as the only security.

请注意，一般来说，是否安全"这个问题无法找到正确的答案.你必须自己决定.

Please note there can't be a right answer to the question "is it safe" in general. You must decide yourself.

PS.但是请记住，当用户共享他们访问的URL时，这种基于URL的安全性将尘土飞扬.甚至最好的加密方法也无济于事.

PS. But keep in mind that such URL-based security will fall to dust when users will share URLs they visited. Even best your encryption won't help.

这篇关于Mongo ObjectID:可以在野外安全使用吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！