Hacker News .hnnew | past | comments | ask | show | jobs | submitlogin
FYI: private Github Gists are not as private as you think
3 points by flovec on March 6, 2012 | hide | past | favorite | 7 comments
I e-mailed Github concerned about my private Gists being completely insecure, aside from a unique ID that is hard to guess. They responded quickly (+1 Github), though with a response I was afraid of -- security is a tradeoff, essentially (not sure I completely agree, as basic auth isn't THAT hard to implement in an API, and if I wanted to share a Gist, I'd make it non-private). So, FYI -- if you know the Gist ID, even if it's marked private, you can view it.


This is the standard public/private mechanism for most all pastebin sites. Private gists are private by the virtue of the fact that the URL is more or less unguessable. It's not actually authentication-restricted.

For example, pastie does this. Here's a public paste:

http://pastie.org/3537377

And I can see the public paste made before mine by decrementing the URL:

http://pastie.org/3537375

But I can make a private paste:

http://pastie.org/private/sd1fh4m2zesdn6nzkpcfa

And the URL is a value that's likely some sort of ID + salt digest, and has enough entropy that I couldn't effectively guess any other private URL.

Pastebin sites (Gist included) are specifically for the purpose of sharing code with other people. It's not intended to be used as a private clipboard for you to save snippets for later reference, though that's certainly a valid use of it, as long as you're aware that they aren't actually authentication-restricted.


Interesting. Just because it's standard, doesn't necessarily make it perfect? I guess I'm just looking for a versioned script repository that's authenticated and has an easy API to roll credentials. Is it too much to ask!? :)


This is fairly common practise - for example pastie/pastebin, Skitch, Facebook - all have 'private' URL options.

I thought it was obvious, but that's only because I immediately understood the implications of a shareable URL. That's not going to be obvious to everyone, and GitHub really should change the "[lock icon] Create Private Gist" to something like "Create Hidden Gist".

"Hidden" implies it's there if you find it. "Private" implies a whole lot more.


Hidden makes a whole lot more sense!


On the one hand if you can argue that someone can guess the unique gist ID, you could also argue they can guess your Github session ID, in which case authentication is moot*

On the other hand, because the Gist ID is in the URL, it is more prone to leaking.

One example: I uploaded a PDF (classification: public) to a web server and sent the link to a few people. It was not published anywhere, not communicated outside our group, there were no external links to it, so it could not be spidered. Couple of days later Google had managed to index it, and it was getting downloads. How did Google know it existed? Maybe someone used GMail, maybe they had Google toolbar installed which submits URLs to Google for indexing, who knows? I noticed Github has blocked Google et al from indexing all the Gists with robots.txt, which helps.

Either way, probably best to be careful how you handle the "private" Gist URLs, or just don't use them for super secret information.

*yes session ID is longer, and should have a finite life span, so it may be harder, but the same kind of issue.


I thought that was pretty obvious, since you can just share the URL with anyone, with out any sort of auth.


So, ideally, if you "shared" an endpoint, and the Gist was marked "private", you'd get something standard like "unathenticated". Why else make it private?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: