0

I recently started to use grafana to visualize a lot of different metrics. Grafana also enables me to share dashboard snapshots directly via a link. Which is pretty comfortable since I can share the dashboard without the need for others to be registered at my site. Such a link would look like the following: 

https://my-website.com:3000/dashboard/snapshot/2yFejTCJX4G8Q4Ea2XiCpMhQuiUTDvyu

In the process of creating such a link grafana warns me about the following:

enter image description here

Its clear to me that for the case I send the link to person A, I can never say to whom he will send that link too.

But if we consider a scenario where the dashboard snapshot shows data which is related to person A. Person A obviously don't want that random strangers can access his information.

1) Is it a bad idea now if I create the link and send it to person A with the warning he should not share it with others since every one with the link can access his dashboard?

2)Is this approach more risky than the normal login way? Since with the normal login approach there is also the risk person A shares his login/password with others?

3) Is it generally possible to get access to all of the dasboard snapshots with some kind of brute force attack ?

Link to the documentation about dashboard sharing: Link

crovers
  • 6,311
  • 1
  • 19
  • 29
IIIIIIIIIIIIIIIIIIIIII
  • 111
  • 3
  • 1
    More duplicates: [Two](http://security.stackexchange.com/questions/89108/is-a-website-published-in-an-obscure-directory-comparably-secure-to-being-placed/) [Three](http://security.stackexchange.com/questions/91837/use-of-obscure-url-for-security) [Four](http://security.stackexchange.com/questions/36870/is-including-a-secret-guid-in-an-url-security-through-obscurity) – Anders Oct 13 '16 at 14:58

1 Answers1

1

An "unguessable" link is exactly analogous to a username/password protected link - as you surmise, users could just as easily share the username/password for a guessable link as they could an "unguessable" link. In fact, because unguessable links can have far more entropy and because they aren't susceptible to bad password practices, it can end up being even more secure.

As far as brute forcing, there are 62^32 possible links in the scheme they appear to be using (upper and lower case letters + numbers, 32 characters long). That means that even if they could try hundreds of thousands of links a second, it would still take many, many more times than the lifetime of the universe to exhaust the search space. Even if there are hundreds of millions of links, they could probably try until the sun goes dark without finding one.

62^32 is an enormous number.

(This assumes that the urls are generated randomly, using good sources of randomness and are not predictable. If they are predictable (hashed from the time + account or something), all bets are off.)

crovers
  • 6,311
  • 1
  • 19
  • 29
  • (Just did the math - if they can try a million a second, it'd take 7.2016183e+43 YEARS to exhaust the search space - that's 7 with 43 zeroes after it. My comment about many times longer than the lifetime of the universe is a gross understatement) – crovers Oct 13 '16 at 14:15
  • 2
    Unless something leaks or lists URLs. For example, if you have directory listing enabled (I don't even know if Grafana does something like that), if someone has access to the user's web history, or if there's a MITM attack. Many users are also more aware that their usernames/passwords should be considered private, while few would know to not share a URL. It's also easier to pinpoint bad behavior if you have unique credentials associated with the bad behavior. That said, this isn't insecure. – Jesse K Oct 13 '16 at 14:20
  • Oh, absolutely - if you have directory listing on, again, all bets are off. However, I'd disagree that this is less uniquely associated - you know who generated the link, and thus who started any distribution of the link. That is exactly as much info as you have with a unique user/password combo. In fact, potentially more, since you know the context of the sharing as well - you know the report that was being shared (rather than a generic user/pass being shared which might access more than just that report) – crovers Oct 13 '16 at 14:23
  • Youtube, for instance, uses 11 base-64 characters (which, actually, they may use here - not enough sample size to know if they have 2 additional characters), even for their private links. That's probably unguessable, too, and it is smaller. Tom Scott on the subject : https://www.youtube.com/watch?v=gocwRvLhDf8 – crovers Oct 13 '16 at 14:40
  • The URL can be leaked by the Referer header if the page has any links or resources hosted on outside domains! You can include this tag in the head tag to disable the referrer header from the page: ` ` – Macil Oct 13 '16 at 23:08