3

Say there is a URL example.com/abunchofrandomsymbols and there are no links to it anywhere on the internet. Could it be discovered somehow?

My guess is a browser like Google Chrome could report it to Google. But would Google do something like that?

I understand this question belongs to security through obscurity category and maybe not a good idea, but still, would such URL be discoverable?

Arthur Tarasov
  • 309
  • 3
  • 7
  • 3
    Possible duplicate of [Is a website published in an obscure directory comparably secure to being placed behind a login?](https://security.stackexchange.com/questions/89108/), [Use of obscure URL for security](https://security.stackexchange.com/questions/91837), [Are random URLs a safe way to protect profile photos?](https://security.stackexchange.com/questions/58215) – Steffen Ullrich Oct 19 '18 at 04:53

2 Answers2

3

If you are asking whether "URLs can be discovered somehow", then the answer is definitely yes. For more information, you can check the links provided by Steffen Ullrich in a comment to your question. Full URLs can be leaked in several ways: they are probably recorded in server logs, they can be sent as a referrer whenever the page loads an asset (image, javascript, external fonts, etc.), they might be recorded by your ISP (unless you always use HTTPS, in that case only the domain can be seen), they can be recorded by malware in case you get infected (infected on your computer or on the website itself), they can be leaked in a lot of different ways by mistake (copy-paste fail, or thinking you are going to browse to a URL and instead the browser/application searches for it sending it as a query, etc.).

And as you said, they can also be recorded by any software you use, often unexpectedly. Your email client might be processing all the content of your emails automatically, for several purposes which might include commercial purposes, and they might be parsing and recording all URLs in the content, for example. The same is true for other (often privacy-invading) software, from a simple text editor to a whole OS. And don't forget the antivirus: it might be trying to record all the URLs it can, to scan them and block them if they are known to be malicious. And all this could be done by your browser too, of course.

As for Google Chrome, does it know what URLs you visit? The answer seems to be yes, but maybe not always and maybe only if you have certain features turned on (which might be on by default anyway): check out for example its privacy policy at https://www.google.com/chrome/privacy/ . Quoting some parts:

When you can’t connect to a web page, you can get suggestions for alternative pages similar to the one you're trying to reach. In order to offer you suggestions, Chrome sends Google the URL of the page you're trying to reach.
[...]
In general, usage statistics do not include web page URLs or personal information, but, if you are signed in to Chrome and syncing your browsing history in your Google Account without a Sync passphrase, then Chrome usage statistics include information about the web pages you visit and your usage of them.
[...]
Crash reports contain system information at the time of the crash, and may contain web page URLs or personal information, depending on what was happening at the time the crash report was triggered.
[...]
Some versions of Chrome feature Safe Browsing technology that can identify potentially harmful sites and potentially dangerous file types not already known by Google. The full URL of the site or potentially dangerous file might also be sent to Google to help determine whether the site or file is harmful.

This of course does not mean that the URL will certainly be crawled and then included in search results. However you can never be sure of what Google (or other similar companies) is doing with your data, what they plan to do, and what they will do tomorrow. It's a company, with its software and services, with settings/goals/policies that can change very quickly any day.

reed
  • 15,398
  • 6
  • 43
  • 64
1

In short: It can't.

There may be exceptions such as:

  • one of the clients reports it to another party
  • someone is connecting to it using an interceptable connection and someone does intercept it
  • your webserver has directory listing enabled

That is the reason that projects like the OWASP Dirbuster exist. There are quite a lot of tools like this but they all work in the same way: Trying to append (more or less) random strings to a domain and check the response behavior of the server.

Also you are right: Security through obscurity is never a good idea (think of what happened to Microsoft when the Samba-Team reversed NTLM. So further than your theoretical question I cannot really think of a proper way to put this into a productive use. There are many ways to secure (parts of) websites and all of those a favorable above just hiding it. Also you can look here on why it's not a brilliant idea to actually put the above stated to use.

Ben
  • 2,024
  • 8
  • 17
  • You forgot two other possible leak mechanisms, accidental disclosure during communicating the URL to a client, and people simply noticing patterns and brute-forcing it. – Austin Hemmelgarn Oct 19 '18 at 18:45