Tuesday, May 19, 2009

"Unguessable" URLs

Yesterday I saw a tweet go by saying that some websites provide security by generating "unguessable" URLs.  It didn't say what they're trying to protect; if it's something low-value that's probably not a problem.  But it does raise the question of what's meant by "unguessable" and whether or not the people writing the code have any kind of understanding of randomness and how to get it.  It is reminiscent, to some extent, of people who post to Usenet that they've got an "unbreakable" crypto algorithm and it turns out to be XOR-based.  So, given the constraints of a URL format (characters, length, etc.) how likely is it that given a few examples of one of these unguessable URLs someone would really be unable to start generating guesses and getting hits?

In 2001 Michael Zalewski published a really fascinating paper in which he provided visualizations of the required-to-be-random TCP initial sequence numbers from a number of different operating systems, here.  Kevin Mitnick was able to exploit the poor ISN randomness to hijack TCP sessions and break into some systems.  The combination of the high visibility of Mitnick's actions and Zalewski's striking visualizations motivated a number of OS vendors to improve their random ISN generation, and a year later Zalewski published a follow-up paper in which he published visualizations of the revisions.  There were still problems.  Randomness is hard.  Relying on the ability to protect content or transactions through the use of "unguessable" URLs seems unduly risky to me.

1 comment:

  1. On a tangentially related note, I was once troubleshooting some problem concerning web analytics-y code on pages belonging to a major European airline. The data that was sent over to the vendor (who I was working for) somehow broke in the vendor's code, and I was trying to figure out where and in whose code the breakage occurred. At one point, stuck, I retrieved one of the HTTP-Referer URLs and opened it in a browser. And instead of some "expired session" error, I was staring at someone's boarding pass.

    The relationship deteriorated from there.

    ReplyDelete