Technology

This implies the message “Safety Replace” from Google Drive

this-implies-the-message-safety-replace-from-google-drive

“A security update is being applied to Drive,” said a strange new email from Google. A whole bunch of us from the Ars Technica staff got blown up last night. Additionally, when you visit drive.google.com you will see the message “A security update will be applied to some of your files on September 13, 2021.” You can even see a list of affected files, all of which have received an unspecified “security update”. So what is it about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: an individual Allow List (where you share a Google Doc with specific Google Accounts) and a Get Link option (which allows anyone with the link to access the file). The “Get Link” option works in the same way as unlisted YouTube videos – it is not really private, but theoretically not entirely public either, since the link has to be published somewhere. The shared secret links are really just security through obscurity, and it turns out that the links are actually guessable.

Along with Drive, Google is also changing how unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive:

In 2017 we introduced an update to the system that generates new unlisted YouTube links, including security improvements that make it even more difficult for others to find the links for your unlisted videos if you don’t share the link with them have.

Google had known about the problem of guessing secret links for some time and changed the way the link generation works as early as 2017 (presumably also for Drive?). Of course, this won’t affect any links you’ve shared in the past and soon Google will require a change to your old links which can break them. Google’s new link scheme adds a “resource key” to the end of all shared Drive links, making them harder to guess. A link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” now looks like this: “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view ?resourcekey = 0-OsOHHiQFk1QEw6vIyh8v_w.“The resource key makes it harder to guess.

advertising

If you go to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your affected files. If you hover over it, you’ll see a Remove or Apply Security Update button on the right. “Applied” means that the resource key is required after September 13, 2021 and (most of the time) breaks the old link, while “removed” means that the resource key is not required and all links should continue to work.

Googles

Google’s “Affected Files” interface. Feel free to add or remove this security update.

YouTube went through this process earlier this month, with any unlisted links dead before 2017 unless the owners of the videos are still active on YouTube and have opted out. Drive does this with a little more finesse than YouTube, however. Thanks to account-based sharing, anyone who has accessed your unlisted Drive links in the past will still have access to them, even if you update their security. However, no new people will be able to access the old, updated link. If you have a stable community using an unlisted file, for the most part it should be able to move on that way. However, all new members will be blocked and must request access. If you don’t want to, the owner of the file can click the Share button at any time and change the settings to create a new link or to disable the link entirely.

It’s a good thing that a third party won’t list all of your unlisted files, but don’t confuse this link change with actual security. You should never share anything using Unlisted or Get Link to YouTube, Drive, or Google Photos if you want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they shouldn’t be considered secure or undetectable. This arrangement is perfectly fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re okay with that, fine. But if not, use Google’s actually private, account-based sharing options.

0 Comments