6

Google Storage URLs look like this:

gs://pubsite_prod_rev_0282398762349676320630463/data.bin

Accessing content at that URL requires authentication.
That being said, should I consider the 0282398762349676320630463 part as a secret?

If not secret, for simplicity reasons I will write that URL in our publicly visible export script. The pubsite_prod_rev and data.bin parts of the URL are not things I consider as secrets, so I am only concerned with that long sequence of numbers.

Nicolas Raoul
  • 1,276
  • 2
  • 12
  • 17

3 Answers3

1

That answer really comes down to whether or not you are happy showing off where your data is stored.

If the project is a commercial grade product then, personally, I would advise that you don't make it visible to the public. Afterall, people may be more prone to attempt hacking into the account as you are giving quite a bit of information away. Basically you are sharing your documents ID with them, which doesn't sound like a good thing to do regardless of the case.

To be honest, there probably isn't a right or wrong answer in that sense, rather one of ethics.

ProGrammer
  • 111
  • 3
  • So, you're saying that it is not more dangerous than sharing for instance my email address or my Heroku app id, if I understand your answer correctly? – Nicolas Raoul Oct 11 '16 at 09:47
0

As it will be shared by all users, the Google Storage id is not a secret. A secret is normaly only shared by a small population, and ideally no more than 2 persons. Simply because if more than 2 persons share a secret and the secret is disclosed, nobody (except the guilty one) can know who revealed it. In addition in your example, the security of the data should be based on the authentication system (which should contains true secrets) and not on the knowledge of an URL.

That being said, best security practices recommend to only give each user the priviledges he/she needs. So your question will ultimately reduce to :

  • what is the threat?
  • what is the risk?
  • what is the cost of mitigation?

But IMHO, if you think you can store your data on Google Storage, it means that you have already answered that the authentication system is enough on a security point of view...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
0

I agree with what ProGrammer said. It really depends on how secure your mode of authentication is and if any other files or folders have a world-shareable option open. Most often the Google Storage URL points to a file which is saved in Firebase server. That link will basically help you access the file through the Firebase Storage SDK and the Google Storage API. But sharing an URL like that might also help unknown actors guess what the other files might be and help them sort of enumerate through and see if he/she can access any of the files which might have been "mistakenly" keep in a world readable mode.

BoredToolBox
  • 57
  • 5
  • As written in the question, `The pubsite_prod_rev and data.bin parts of the URL are not things I consider as secrets` so your sentence `help unknown actors guess what the other files might be`, while true, is not the topic of the question at hand here. – Nicolas Raoul Feb 20 '19 at 01:04
  • And you are completely correct that is why I mentioned ProGrammers answer being correct. The Google Storage URL specific to the one you shared might not be considered as secret but based on that if you should create other URLs that might have other implications. Let's take your URL as an example. 1: pubsite_prod_rev also tells me that there might be something on the line privsite_prod_rev or pubsite_stg_rev etc. 2: data.bin also tells me to try and see if there are something like image.bin or static.bin. In the end you will never know where the next threat might come for. Stay safe. – BoredToolBox Feb 20 '19 at 06:41