Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think the concern is someone might scan all the inactive links and find that some of them link to secret URL's, leak design details about how things are built, link to documents shared 'anyone with the link' permission, etc.


> I think the concern is someone might scan all the inactive links

How? Barring a database leak I don't see a way for someone to simply scan all the links. Putting something like Cloudflare in front of the shortener with a rate limit would prevent brute force scanning. I assume google semi-competently made the shortener (using a random number generator) which would make it pretty hard to find links in the first place.

Removing inactive links also doesn't solve this problem. You can still have active links to secret docs.


To make the URLs actually short, you need to use most/all of the keyspace.

Back when it was made, shorteners were competing to see who could make the shortest URL, so I bet a brute force scan would find everything.


> You can still have active links to secret docs.

If they're have a (passwordless) URL they're not secret.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: