How can I generate a "private URL" with state of the art balance between security and convenience?

Question

Where can I find a well-written, in-depth technical discussion about "private URLs" like the ones used in Google Docs' "anyone with the link" sharing setting? I'm looking for topics like the algorithm and implementation for generating a link, the size of the ID space it uses, analysis of the security implications, and pragmatic compromises in security for convenience. I want to avoid reading dogma about "security through obscurity".

I found one loosely related Stack Overflow question, but it doesn't treat the topic in much depth, and the answers are more dogmatic and less pragmatic than I'd like.

I searched Google Scholar for "anyone with the link", "secret URL", and "private URL". I found a few interesting papers and patents, but I'm still interested to learn more about what the state of the art is.[1] [2] [3] [4] [5]

Answer 1

I suspect the lack of response to this question is primarily a reflection of the fact that 1) the problem space is highly nuanced and 2) the people that have solved it before don't feel like talking about what they have done. I'll try to buck the trend. :)

Pragmatically, the following variables tend to dominate conversations I've seen:

• If a user has the link in hand and fwds it to friends, is this a feature or a bug?
• If the content owner wants to revoke access (ie revoke the link), how easy should this be to do? How frequent of an occurrence is it?
• Should the link time out? If so after how long?
• Where is "the line" in our comfort here? For example, if it is a link to a document, is read only good enough? Should it be read-write capable? Is there a limit to our comfort given the threat model?
• Is there a limit to the # of times the link should be usable?
• Do we care if the links are pretty or can they have some ugly huge blob in them?
• What sorts of concerns exist wrt versioning of the links, the back-end services, and things that might cause breaking changes?
• If the underlying content moves / links change, should the private links that have been sent out break? More generally, what sorts of operations should break the links, and what user experience impact should that have?
• Assuming a highly skilled attacker is after your links, what other defenses exist to prevent guessing against the space, and what instrumentation story do you have? You then overlay this with the math in the links themselves and convince yourself you have a threat model where it takes to guess a singular link, and with a cost model such that it is egregious expensive.

In terms of implementations, I'm not aware of papers or off-the-shelf implementations that do this. Every one I've been a part of (sadly, I've been a part of more than one...) have been custom. I could propose a singular set of trade-offs and comment on them here, but I'm not sure it would be helpful. Everyone would answer the questions above differently.

I'm happy to comment more on your particular scenario with more data...