security - MongoDB: is it safe to use document's ID "in public"?

Question

I really like MongoDB's automatically generated ids. They are really useful.

However, is it save to use them publicly?

Let's say there is a posts collection, and the /posts page that takes id paramater (something like /posts/4d901acd8df94c1fe600009b) and displays info about it.

This way the user/hacker will know the real object id of the document. Is it okay or is it not secure?

Thanks

Answer 1

The ObjectID documentation states that the automatically generated IDs include a 3-byte machine ID (presumably a hash of the MAC address). It's not inconceivable that someone could figure out things about your internal network by comparing those three bytes in various ids, but unless you're working for the Pentagon that doesn't seem worth worrying about (you're much more likely to be vulnerable to something more boring like a misconfigured Apache).

Other than that, Epcylon's right; there's nothing inherently insecure about exposing ids through URLs. Whether it's ugly is another matter, of course. You can base64 them to make them shorter (been thinking about this myself), but then there's the weird fact that they're all about half the same.