2

How safe is using UUIDs as URL identifier for non-guessable IDs? Specifically UUIDs generated by Python's uuid4() function, using base64 encoding. E.g.

https://example.com/content/oVOZp0W_SyG23EMjTjrphg

  • How likely it is that somebody can scrape arbitrary URLs without any information about the content (creation time, etc.)?

  • How likely it is that somebody who knows something about the content (creation time) can find the specific URL pointing to the content?

If UUIDs have practical security limitations, are there any recommended best practices for non-guessable ids which play nicely inside URLs?

EDIT: Assume we are generating 16-bytes of os.urandom() randomness as per in the comments below.

  • 1
    Don't use non-cryptographic sources of "randomness" for things that shouldn't be guessable. Just use `os.urandom` and convert it to base64. – Stephen Touset Jul 03 '15 at 00:07
  • @StephenTouset: Internally uuid4() uses 16 bytes os `os.urandom` https://hg.python.org/cpython/file/14be2ab42294/Lib/uuid.py#l609 – Mikko Ohtamaa Jul 03 '15 at 00:12
  • 1
    Unless `_uuid_generate_random` is set. More importantly, the documentation does not *guarantee* that the underlying implementation is cryptographically random, so even any future update could easily use something worse. – Stephen Touset Jul 03 '15 at 00:16
  • @StephenTouset: I edited the question so we can ignore this implementation detail for now. – Mikko Ohtamaa Jul 03 '15 at 00:19
  • @StephenTouset: But thanks for the clarification. I'll make sure the `_uuid_generate_random` is never set. – Mikko Ohtamaa Jul 03 '15 at 00:22
  • 2
    If you're using 16 bytes (128 bits) of cryptographically secure randomness, it being "a UUID" is simply conceptual and irrelevant. This is a simple application of the [birthday problem](https://en.wikipedia.org/wiki/Birthday_problem). The short answer is that an attacker will never guess one of these URLs, unless you generate a truly astronomical number of them. – Stephen Touset Jul 03 '15 at 22:25
  • @Mark: This question can be closed. The linked answer is very informative. – Mikko Ohtamaa Jul 08 '15 at 04:44

0 Answers0