Obfuscate your Company
Time to read:
May 28, 2009
Escrito por
Esta publicação faz parte do arquivo da Twilio e pode conter informações desatualizadas. Estamos sempre criando algo novo, por isso, não deixe de conferir nossas últimas publicações para obter os insights mais atualizados.
When I was at Amazon, I remember a story from the days of yore, it went like this.
Amazon was about to go public, and all sorts of analysts were trying to determine Amazon’s sales and customer growth, obviously things the company would closely hold. At some point, some crafty analyst cracked open his browser (IE 3?) cookies from Amazon.com to find, and I’m cookie-paraphrasing here, the following contents:
CustomerId: 12345
Hrm, so Amazon had exactly 12345 customers as of the moment he signed up some while back. So, then he signed up for another account, and got a CustomerId 23456. Hrm, now he knew how many customers Amazon had gained. And by registering a new account every day, he could figure out their growth rate!
Company Secrets Fail.
So Amazon started obfuscating their customer ids in any customer-accessible places, like cookies, urls, etc.
So jump a head 10+ years, and I see see plenty of companies, often startups, who expose primary key values for things like customers, messages, orders, etc. in their URLs.
For example, I got this link today to an internal messaging system from a very young company:
I’ve redacted some of the variable names, so people can’t figure out which company it is. However, you can see primary keys for the message… and I received message #4! Hrm, now I know how popular the company, or this particular feature is. Interesting information.
I’ve always taken the view that such information is private to the company… and that leaking it out can come to give your customer, and more importantly, competitors an unwarranted view into your operations.
For example, another company in the telecom space, one you might call competitive to Twilio, happily shows me my integer, auto-incrementing Developer ID right on their dashboard:
Thanks for the intel, suckas!
At Twilio, we skip the easy INT AUTO INCREMENTs, and use MD5 hashes of good random strings to get consistent length, collision free distributed primary keys. They’re easy to generate in a distributed manner, no matter how many app-servers or databases you’re running, and they don’t leak any information about us as a company. For example, here’s one way to generate a random, fixed-length key in PHP:
md5(uniqid(rand(), true))
So, in my opinion, you’re best keeping private information private, and while you’re at it, get a nice distributed key generating system in place. But feel free to ignore this advice, your competitors will thank you!
Recursos relacionados
Twilio Docs
De APIs a SDKs e aplicativos de amostra
Documentação de referência de API, SDKs, bibliotecas auxiliares, guias de início rápido e tutoriais para sua linguagem e plataforma.
Centro de Recursos
Os mais recentes e-books, relatórios do setor e webinars
Aprenda com especialistas em engajamento do cliente para melhorar sua própria comunicação.
Ahoy
Centro da comunidade de desenvolvedores da Twilio
Melhores práticas, exemplos de código e inspiração para criar comunicações e experiências de engajamento digital.