2

I have a web app that stores objects in a database and then sends emails based on changes to those objects. For debugging and tracking, I am thinking of including the Document Id in the email metadata. Is there a security risk here? I could encrypt it (AES-256).

In general, I realize that security through obscurity isn't good practice, but I am wondering if I should still be careful with Document Ids.

For clarity, I am using CouchDB, but I think this can apply to databases in general.

Justin Elkow
  • 2,833
  • 6
  • 28
  • 60

2 Answers2

2

By default, CouchDB uses UUIDs with a UTC time prefix. The worst you can leak there is the time the document was created, and you will be able to correlate about 1k worth of IDs likely having been produced on the same machine.

You can change this in the CouchDB configuration to use purely 128bit random UUIDs by setting the algorithm setting within the uuids section to random. For more information see the CouchDB Docs. Nothing should be possible to be gained from them.

Edit: If you choose your own document IDs, of course, you leak whatever you put in there :)

Jan Lehnardt
  • 2,619
  • 1
  • 17
  • 14
  • Great answer, thanks. I am using my own DocIds which do contain some user information. I will keep that in mind as I decide if I want to encrypt or not. – Justin Elkow Jun 11 '14 at 16:43
1

Compare Convenience and Security:

Convenience:

  • how useful is it for you having the document id in the mail?
  • can you quickly get useful information / the document having the ID ?
  • does encrypting/hashing it mean it's harder to get the actual database document? (answer here is yes unless you have a nice lookup form/something which takes the hash directly, avoid manual steps )

Security:

  • having a document ID what could I possibly do that's bad?
  • let's say you have a web application to look at documents..you have the same ID in a URL, it can't be considered 'secret'
  • if I have the ID can I access the 'document' or some other information I shouldn't be able to access. Hint: you should always properly check rights, if that's done then you have no problem.
  • as long as an ID isn't considered 'secret', meaning there aren't any security checks purely on ID, you should have no problems.
  • do you care if someone finds out the time a document was created? ( from Jan Lehnardt's answer )
Cristian Vat
  • 1,602
  • 17
  • 18
  • middle ground option: put a UUID in each doc and put that in the email header and then use a view to correlate results for debugging. – Jan Lehnardt Jun 12 '14 at 18:40