秘密 URL 真的安全吗? [英] Are secret URLs truly secure?

问题描述

我从来没有在我的系统中留下后门，但出于好奇，我想知道我是否留下了一个像/x52d23r 这样的秘密 URL 允许绕过某种安全，这仅供我个人使用——这会是不知何故在没有从我这里得到信息的情况下被第三方发现了?

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?

例如，可以对秘密端口进行端口扫描和指纹识别，但可以对秘密 URL 执行相同类型的策略吗?

For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

推荐答案

原始答案:通过默默无闻来保证安全是永远不应该实践的事情.

Original Answer: Security through obscurity is something that should never be practiced.

我想对此进行扩展，因为我看到仍在提出一些论点，即秘密 URL 与密码没有区别.我非常不同意这种比较.秘密 URL 和密码确实具有一个相似的特征:它们为一个或多个特定的人所知.这就是相似之处.

I'd like to expand on this, as I see some argument is still being made that a secret URL is no different than a password. I would highly disagree with that comparison. A secret URL and a password do share one similar characteristic: they are known to one or more specific person/people. That is where the similarity ends.

密码强度

• 用一系列随机词制作密码 使密码非常强大，很难猜测或破解强制.

密码必须与用户名相结合，如果用户名不常见，这也可以提高安全性.

A password has to be coupled with a user name, which also can increase security if the user name is not common.

用户名和密码组合不会静态显示在屏幕上，也不会存储在浏览器中的任何位置(除非您选择让浏览器保存"您的登录凭据).

User name and password combinations are not statically shown on the screen, nor stored anywhere in the browser (unless you chose to have your browser "save" your login credentials).

密码可以在遭到破坏的情况下更改，而无需更改系统入口点.

Passwords can be changed in the case of a breach without the need to change the entry-point into the system.

好的密码系统不会将它们以纯文本形式存储在文件系统中.

Good password systems don't store them in plain-text on the filesystem.

秘密网址的弱点

• 除非在隐身"、私密"等模式下使用，否则 URL 将存储在您的本地历史记录/缓存中.

• Unless used in "Incognito", "Private", etc. mode, the URL will be stored in your local history/cache.

URL 显示在浏览器窗口中，可能会被四处游荡的人看到.

URLs are shown in the browser window and can be privy to wandering eyes.

如果秘密 URL 被泄露，您必须更改它并通知任何使用它的人.

If the secret URL is compromised, you have to change it and notify anyone using it.

URL 以纯文本形式存在于服务器上的某处，无论是作为真正的目录/文件还是作为重写(但是，重写可能会在更高的级别发生).

The URL exists in plain text on the server somewhere, whether as real directory/files or as a rewrite (however, a rewrite could be down at a much higher level).

@Mike Clark 在他的回答中提到的所有其他内容.

Everything else that @Mike Clark has mentioned in his answer.

它真正归结为:

• 秘密 URL 只是通过默默无闻来实现安全性.就是这样.

• Secret URLs are only practicing security through obscurity. That's it.

根据定义，密码可能是隐蔽的信息，但围绕密码采取的额外努力、预防措施和保护措施在这一切之上增加了一个安全级别.换句话说，密码是分层的，除了隐匿性之外，还通过其他方式实现安全性..反过来，这使它们成为比简单的模糊 URL 更好的选择.

Passwords may be obscured information by definition, but the extra efforts, precautions, and safeguards taken around passwords adds a level of security on top of it all. In other words, passwords are layered and are practicing security through other means in addition to obscurity. This, in turn, makes them a better choice than a simple obscured URL.

建议:同时使用秘密"URL 和非常强的用户名/密码组合.不要依赖只需一个秘密"网址.

Recommendation: Use both a "secret" URL and a very strong user name/password combination. Don't rely on JUST a "secret" URL.

从不将隐匿性作为唯一的保护措施来实践安全性.

Never practice security using obscurity as the only safeguard.

这篇关于秘密 URL 真的安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！