Security Of Cloud Shared Links
-
I was wondering how secure people feel the links that various services use to share "public" links are. Do you think they are unique enough to be secure?
Obviously assigning them to specific users is always MOST secure, but in the instances where this is not possible/desired, how safe do you feel using these links?
I included some share links from my accounts (files since removed) below for examples...
Google Drive:
https://docs.google.com/document/d/1nGo-mhYkf_r7il-HgeEfUJ3H9CTan3bwmq0BAlPeoXk/edit?usp=sharingOne other thing I noted as I was writing this post is that ODfB includes both your company Sharepoint site AND your e-mail address in the link. Do people actually use that? That actually looks like the longest (and hence ... safest?) unique identifier, though.
-
I've used them all. I haven't actually read about the technology behind how the links are built so I have no idea how easy they are to guess.
The Google one is 42 characters long so I think that's - oh crap I forget how to figure out password strength.. but assuming a minimum of 58 characters in the char set... it's pretty damned good.
-
@BRRABill said in Security Of Cloud Shared Links:
I was wondering how secure people feel the links that various services use to share "public" links are. Do you think they are unique enough to be secure?
Well, what do you consider secure? Keep in mind that a username/password combo is the same as the two merged. So if your username was bill and your password is P@ssw0rd then that is literally no different than a passcode of billP@ssw0rd. Does that make sense? If you consider that usernames essentially never have caps, numbers or special characters and are almost always short, you can pretty safely assume that the security of the username portion approaches zero.
The Google Apps link is fully random and far, far longer than any normal username/password combination plus has no "weak portion" and always uses a larger character set.
So it would be, I would guess, trillions of times more secure than normal username/password situations.
-
@scottalanmiller said
So it would be, I would guess, trillions of times more secure than normal username/password situations.
So you would have no issue sharing a highly confidential file with me via Google Drive?
-
@BRRABill said in Security Of Cloud Shared Links:
@scottalanmiller said
So it would be, I would guess, trillions of times more secure than normal username/password situations.
So you would have no issue sharing a highly confidential file with me via Google Drive?
Less than any other shared service type. It's securely hosted and heavily password protected. It's not perfect, nothing is. But it is extremely secure.
And if you only share it from time to time and not forever, it becomes insanely secure.
-
And, compromising one document does not expose another. It's a crazy long password for each file!
-
@scottalanmiller said in
Less than any other shared service type. It's securely hosted and heavily password protected. It's not perfect, nothing is. But it is extremely secure.
But OneDrive is also pretty secure. If you add both the link and the auth key it has to be 40 characters plus.
Would you feel moderately secure there as well?
-
@BRRABill said in Security Of Cloud Shared Links:
Would you feel moderately secure there as well?
Moderately? What do you consider "very" secure? Do you mean "not shared" files or "already deleted" files?
-
@scottalanmiller said
Moderately? What do you consider "very" secure? Do you mean "not shared" files or "already deleted" files?
I mean if you were using OneDrive (or ODfB or SharePoint) and wanted to share a very confidential file with a client would you feel confident doing so?
-
@BRRABill said in Security Of Cloud Shared Links:
@scottalanmiller said
Moderately? What do you consider "very" secure? Do you mean "not shared" files or "already deleted" files?
I mean if you were using OneDrive (or ODfB or SharePoint) and wanted to share a very confidential file with a client would you feel confident doing so?
More confident than any other method. So on a scale of 1 to 10, 1 being totally insecure and 10 being "as secure as any product you can get today" I'd be pretty close to 10.
-
Of course, you could make your OWN service for this that requires a long username, a super long password, a dongle, an RSA card, responding to a text message AND a 500 character URL.... but within reason this is basically as secure as things get.
-
@scottalanmiller said in Security Of Cloud Shared Links:
Of course, you could make your OWN service for this that requires a long username, a super long password, a dongle, an RSA card, responding to a text message AND a 500 character URL.... but within reason this is basically as secure as things get.
What about things like ownCloud where you get a link sent to you, and a password sent to you (preferably by different means)...?
-
@dafyre said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
Of course, you could make your OWN service for this that requires a long username, a super long password, a dongle, an RSA card, responding to a text message AND a 500 character URL.... but within reason this is basically as secure as things get.
What about things like ownCloud where you get a link sent to you, and a password sent to you (preferably by different means)...?
It's the combined length that makes it secure.
-
Do you know if the SharePoint nomenclature is the same for everyone that uses the hosted version?
I mean, I guess everyone has your e-mail address and domain anyway. Just seemed ... personal to be out there like that.
-
@BRRABill said in Security Of Cloud Shared Links:
Do you know if the SharePoint nomenclature is the same for everyone that uses the hosted version?
I mean, I guess everyone has your e-mail address and domain anyway. Just seemed ... personal to be out there like that.
It would all be the same, yes.
-
-
@BRRABill said in Security Of Cloud Shared Links:
Do you know if the SharePoint nomenclature is the same for everyone that uses the hosted version?
I mean, I guess everyone has your e-mail address and domain anyway. Just seemed ... personal to be out there like that.
You're email address like you home address isn't private - really can't be. So it's not something that's part of security.
-
@BRRABill said in Security Of Cloud Shared Links:
@scottalanmiller said
It would all be the same, yes.
Well, I guess POTUS wouldn't want to use that!
I don't follow.
-
@scottalanmiller said
I don't follow.
I guess it just felt ... dirty ... to give out that much info.
-
@BRRABill said in Security Of Cloud Shared Links:
@scottalanmiller said
I don't follow.
I guess it just felt ... dirty ... to give out that much info.
I still have no idea what you are referencing.
