What do you mean by accessible without authentication? My server will serve example.com/64-byte-random-code if you request it, but if you don’t know the code, I won’t serve it.

▲

prophesi a day ago | parent | next [-]

Obfuscation may hint that it's intended to be private, but it's certainly not authentication. And the keyspace for these goog.le short URL's are much smaller than a 64byte alphanumeric code.

▲

hombre_fatal a day ago | parent | next [-]

Sure, but you have to make executive decisions on the behalf of people who aren't experts.

Making bad actors brute force the key space to find unlisted URLs could be a better scenario for most people.

People also upload unlisted Youtube videos and cloud docs so that they can easily share them with family. It doesn't mean you might as well share content that they thought was private.

▲

bo1024 a day ago | parent | prev | next [-]

I'm not seeing why there's a clear line where GET cannot be authentication but POST can.

	▲	prophesi a day ago \| parent [-]
		Because there isn't a line? You can require auth for any of those HTTP methods. Or not require auth for any of them.

▲

a day ago | parent | prev | next [-]

[deleted]

▲

wobfan a day ago | parent | prev [-]

I mean, going by that argument a username + password is also just obfuscation. Generating a unique 64 byte code is even more secure than this, IF it's handled correctly.

▲

a day ago | parent | prev [-]

[deleted]