Security Of Cloud Shared Links
-
I'm not really understanding this thread. If you publish a video on YouTube (or similar) and set it to "unlisted", then only those people with the link can find it. It won't be indexed by search engines because it's marked as unlisted.
If someone takes your link and publishes on a website, then it will be indexed, because it is no longer private - the link has been shared to the world. The video isn't shared or publicly exposed, but the link to it is.
Is that what you're talking about?
-
@BRRABill said in Security Of Cloud Shared Links:
Are you saying that unless you publish them directly to the search engine, no search engine is EVER going to find them?
Not quite. I'm saying that the search engines are less likely to find them than they are to find your username and password and publish everything you have today.
I think the issue is not that you are misunderstanding public link security, but that you overly trust an emotional response to usernames.
-
@Carnival-Boy said in Security Of Cloud Shared Links:
I'm not really understanding this thread. If you publish a video on YouTube (or similar) and set it to "unlisted", then only those people with the link can find it. It won't be indexed by search engines because it's marked as unlisted.
If someone takes your link and publishes on a website, then it will be indexed, because it is no longer private - the link has been shared to the world. The video isn't shared or publicly exposed, but the link to it is.
Is that what you're talking about?
That would be, more or less, the same as someone publishing your username and password. I think that he thinks that in one case that is likely and in one it is not. But I think that he has the "likely" reversed.
-
@Carnival-Boy said in Security Of Cloud Shared Links:
I'm not really understanding this thread. If you publish a video on YouTube (or similar) and set it to "unlisted", then only those people with the link can find it. It won't be indexed by search engines because it's marked as unlisted.
If someone takes your link and publishes on a website, then it will be indexed, because it is no longer private - the link has been shared to the world. The video isn't shared or publicly exposed, but the link to it is.
Is that what you're talking about?
Kind of. My question is...
If I don't post it to be indexed and the person I shared it with doesn't post it to be indexed, will it ever be indexed?
-
@BRRABill said in Security Of Cloud Shared Links:
@Carnival-Boy said in Security Of Cloud Shared Links:
I'm not really understanding this thread. If you publish a video on YouTube (or similar) and set it to "unlisted", then only those people with the link can find it. It won't be indexed by search engines because it's marked as unlisted.
If someone takes your link and publishes on a website, then it will be indexed, because it is no longer private - the link has been shared to the world. The video isn't shared or publicly exposed, but the link to it is.
Is that what you're talking about?
Kind of. My question is...
If I don't post it to be indexed and the person I shared it with doesn't post it to be indexed, will it ever be indexed?
Potentially, exactly the same as with your non-shared links being indexed with the username and password passed in. Possible, yes, but less possible than the alternative. Same answer I keep giving. Safer than the other option.
-
@scottalanmiller said in Security Of Cloud Shared Links:
@BRRABill said in Security Of Cloud Shared Links:
Are you saying that unless you publish them directly to the search engine, no search engine is EVER going to find them?
Not quite. I'm saying that the search engines are less likely to find them than they are to find your username and password and publish everything you have today.
I think the issue is not that you are misunderstanding public link security, but that you overly trust an emotional response to usernames.
There are two parts here - which is where I am seeing some possible confusion coming in.
Brrabill asked about these public links - are they safe are they secure.
Then separately he noticed that one or more vendors also included the email address in said link.
These are two separate mostly unrelated questions/concerns.
As for the first one, assuming it doesn't contain the email address or some other identifiable marker of it's owner - is safe because of the unlikeliness of guessing the correct link name to find the file.
With the second one, you have information leakage - you know who the owner is - but that's all. You still have to guess randomly created link to the file.
Is it as good as the first - no, but is it horrible? probably not really.
-
@BRRABill said in Security Of Cloud Shared Links:
If I don't post it to be indexed and the person I shared it with doesn't post it to be indexed, will it ever be indexed?
No, it shouldn't be. That's the purpose of YouTube's "unlisted" option. It's hidden from everyone who doesn't have the link. Search engines can't index URLs that are hidden.
-
Shockingly, I was misinformed about how indexing works.
I thought there was a lot more magic to it, apparently!
I now understand that standalone pages on a site cannot be indexed, except by brute force. On any site.
-
@Carnival-Boy said in Security Of Cloud Shared Links:
@BRRABill said in Security Of Cloud Shared Links:
If I don't post it to be indexed and the person I shared it with doesn't post it to be indexed, will it ever be indexed?
No, it shouldn't be. That's the purpose of YouTube's "unlisted" option. It's hidden from everyone who doesn't have the link. Search engines can't index URLs that are hidden.
That assumes that a spider can't find it. Tons of pages aren't linked anyone on any page, yet Google is aware of them because their spiders crawl all over the page doing ls commands looking for anything and everything.
Now these shared links hopefully aren't real - instead they are hopefully virtual links that tell a DB what file should be connected to, and hopefully the DB itself is not crawlable.
-
@Dashrender said in Security Of Cloud Shared Links:
That assumes that a spider can't find it.
Spidering is defined as the following of links. If it is unlinked, by definition, a spider cannot find it.
-
@StrongBad said
Spidering is defined as the following of links. If it is unlinked, by definition, a spider cannot find it.
That is what @scottalanmiller told me. (I think, don't want to put words in his mouth.)
If it's not linked, it can't be found except by brute force.
-
@Dashrender said in Security Of Cloud Shared Links:
Tons of pages aren't linked anyone on any page, yet Google is aware of them because their spiders crawl all over the page doing ls commands looking for anything and everything.
ls commands? How would they do that? There isn't any ls command in HTTP.
-
@BRRABill said in Security Of Cloud Shared Links:
@StrongBad said
Spidering is defined as the following of links. If it is unlinked, by definition, a spider cannot find it.
That is what @scottalanmiller told me. (I think, don't want to put words in his mouth.)
If it's not linked, it can't be found except by brute force.
OK I guess I used the wrong term... Google definitely knows about new pages where links to that site don't exist yet, or much - and it brute forces those sites... and it is undoubtedly brute forcing major websites looking for new pages, not waiting for links to those to appear first.
-
@Dashrender said in Security Of Cloud Shared Links:
@BRRABill said in Security Of Cloud Shared Links:
@StrongBad said
Spidering is defined as the following of links. If it is unlinked, by definition, a spider cannot find it.
That is what @scottalanmiller told me. (I think, don't want to put words in his mouth.)
If it's not linked, it can't be found except by brute force.
OK I guess I used the wrong term... Google definitely knows about new pages where links to that site don't exist yet, or much - and it brute forces those sites... and it is undoubtedly brute forcing major websites looking for new pages, not waiting for links to those to appear first.
@BRRABill and I were discussing this and this can't be possible. That would be illegal, in fact, as it would qualify as hacking. And it is technically impossible. Google and everyone else only follows published links.
-
To be sure, if you have a folder that is published or a generic name like "public" and it is listable, then you are self publishing those links through HTTP discovery, obviously. But that's publishing.
-
@StrongBad said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
Tons of pages aren't linked anyone on any page, yet Google is aware of them because their spiders crawl all over the page doing ls commands looking for anything and everything.
ls commands? How would they do that? There isn't any ls command in HTTP.
again, you're probably right, it's not ls - but there is a way to crawl over a site via HTTP - I had software 15 years ago that I just pointed toward a URL and it would find all of the folder structure that it was allowed to get to, many not having links.
-
Now we're getting to debate my question!
I originally thought the same as @Dashrender, whichis why I was concerned that the link would eventually be found.
But as you've seen, @scottalanmiller says that is impossible.
-
@scottalanmiller said in Security Of Cloud Shared Links:
To be sure, if you have a folder that is published or a generic name like "public" and it is listable, then you are self publishing those links through HTTP discovery, obviously. But that's publishing.
This is what I'm talking about.
-
@Dashrender said in Security Of Cloud Shared Links:
@StrongBad said in Security Of Cloud Shared Links:
@Dashrender said in Security Of Cloud Shared Links:
Tons of pages aren't linked anyone on any page, yet Google is aware of them because their spiders crawl all over the page doing ls commands looking for anything and everything.
ls commands? How would they do that? There isn't any ls command in HTTP.
again, you're probably right, it's not ls - but there is a way to crawl over a site via HTTP - I had software 15 years ago that I just pointed toward a URL and it would find all of the folder structure that it was allowed to get to, many not having links.
The folders present links via HTTP. Those are linked. Nothing nefarious or weird there, that's a published directory structure. You can do it by hand and see the links very clearly.
-
@Dashrender said in Security Of Cloud Shared Links:
@scottalanmiller said in Security Of Cloud Shared Links:
To be sure, if you have a folder that is published or a generic name like "public" and it is listable, then you are self publishing those links through HTTP discovery, obviously. But that's publishing.
This is what I'm talking about.
Right, so if there are links, Google can see them. Disable the display of the links, and Google cannot.