FYI: private Github Gists are not as private as you think
I e-mailed Github concerned about my private Gists being completely insecure, aside from a unique ID that is hard to guess. They responded quickly (+1 Github), though with a response I was afraid of -- security is a tradeoff, essentially (not sure I completely agree, as basic auth isn't THAT hard to implement in an API, and if I wanted to share a Gist, I'd make it non-private). So, FYI -- if you know the Gist ID, even if it's marked private, you can view it.
8 comments
[ 2.2 ms ] story [ 44.8 ms ] threadFor example, pastie does this. Here's a public paste:
http://pastie.org/3537377
And I can see the public paste made before mine by decrementing the URL:
http://pastie.org/3537375
But I can make a private paste:
http://pastie.org/private/sd1fh4m2zesdn6nzkpcfa
And the URL is a value that's likely some sort of ID + salt digest, and has enough entropy that I couldn't effectively guess any other private URL.
Pastebin sites (Gist included) are specifically for the purpose of sharing code with other people. It's not intended to be used as a private clipboard for you to save snippets for later reference, though that's certainly a valid use of it, as long as you're aware that they aren't actually authentication-restricted.
On the other hand, because the Gist ID is in the URL, it is more prone to leaking.
One example: I uploaded a PDF (classification: public) to a web server and sent the link to a few people. It was not published anywhere, not communicated outside our group, there were no external links to it, so it could not be spidered. Couple of days later Google had managed to index it, and it was getting downloads. How did Google know it existed? Maybe someone used GMail, maybe they had Google toolbar installed which submits URLs to Google for indexing, who knows? I noticed Github has blocked Google et al from indexing all the Gists with robots.txt, which helps.
Either way, probably best to be careful how you handle the "private" Gist URLs, or just don't use them for super secret information.
*yes session ID is longer, and should have a finite life span, so it may be harder, but the same kind of issue.
I thought it was obvious, but that's only because I immediately understood the implications of a shareable URL. That's not going to be obvious to everyone, and GitHub really should change the "[lock icon] Create Private Gist" to something like "Create Hidden Gist".
"Hidden" implies it's there if you find it. "Private" implies a whole lot more.