Are secret URLs truly secure?

Question

I never leave backdoors in my system, but out of curiosity I was wondering if I left a secret URL like /x52d23r that allowed to bypass some sort of security, and this was only for my personal use---would that be somehow discovered by a third party without getting the information from me?

For example, secret ports can be port scanned and fingerprinted, but can the same sort of tactic be done for secret URLs?

Answer 1

The reason using a "secret URL" is usually insecure is not because it is "security through obscurity". In information theory, a secret URL is no different than a password or private key. Are passwords and private keys considered a poor practice because they are "security through obscurity"? No.

So what's the difference between a hard-to-guess URL and a hard-to-guess password?

The difference is in the myriad of insecure places and ways that URLs are stored, displayed, and transmitted. Examples:

1. In web browser address bars, histories, and caches*
2. HTTP Referer headers sent to other sites*
3. In web server access logs*
4. In proxy and layer 7 firewall access logs
5. In packet dumps
6. In web stats traffic reports (e.g. AWStats, Google Analytics)*

HTTPS can protect some of these, but not all of them (items marked with a * are not protected against by using HTTPS.)

In a highly controlled environment, hard-to-guess URLs can be secure. But when using common web browsers, web servers and web frameworks, hard-to-guess URLs should not be relied upon unless no other option exists (and even then you should consider carefully).