Will my URL stay secret if I never link to it?

security url web-server google web-hosting

Solution 1:

Nobody's mentioned logging yet. If you are using plain HTTP, then any proxy / firewall device in between your server and your end user can log your URL and administrators of those devices will be able to see the "supposedly private" URL being accessed.

If you want to be sure your URL won't be leaked even to intermediate devices like proxies and firewalls, then you ought to protect your resources with SSL. Of course, you still need to trust the end-user's PC in that scenario. But, assuming you trust their PC, and you trust your own server, then you need to use SSL to make sure nobody in between can sniff the URL, either off the network or from a proxy / firewall log file.

IMHO, if you use SSL, then your URL could be as secure as a username/password combination, since in both cases the "secret" is transmitted encrypted. The drawback with a URL as opposed to username/password, though, is the risk that your users accidentally type in the URL without the https:// prefix ... the minute they type in http://, then the secret is out. Username/password wouldn't have that problem since your server could be configured to not challenge for username/password on an insecure connection, and instead redirect first.

Solution 2:

If you're mostly concerned with it being indexed by Google, et al., then you could use a robots.txt file. That said, if you tell robots not to index it, you're also tipping your hand to its existence. ("Ignore the man behind the curtain.")

Two people so far have commented that if you put the directory in robots.txt, it becomes obvious that there's something there. Which is what I devoted half of that first paragraph to. But maybe my idioms are opaque. So, to be clear: Having a file that says what not to look at can lead disreputable entities to look there.

Actually, as Cristian Ciupitu says in a comment:

But if he stores it in a subdirectory, the "curtain" won't be visible. He could use for example public_html/nobots/secret23/index.html.

What this means is that you can combine the use of robots.txt with the other suggestion of not having any links to it. You can also add some sort of authentication scheme.

Solution 3:

It is unlikely that it will be found, but you can't trust it. If you don't want the world to see it, put some kind of authentication on it so your friend has to at least log in. Even then, once you share it with your friend you can't be sure he hasn't leaked the secret to someone else. If you must do this, take it down once you no longer need to share it.

Related

How can I block outside mail FROM [email protected]?
How does a blade server differ from a normal rackmount server?
What do you do with hardware when you just can't get rid of it? [closed]
Are Rackspace's Cloud Servers really cloud hosting?
ZFS on Ubuntu Server?
In Linux, why does an empty file have a size of 0, but a text file with any content has a size the length of the content + 1?
System administration standard [closed]
How to clean up server's hard disks before giving it away?
My linux box has been hacked. Some files are undeletable even by root. How can I replace them?
Should I get rackmounted or tower servers for in-house use?
How can I get the cluster size on Windows 2008?
Remove files that are listed in a text file