I'd have to go with yes. Hate to be an entropy nazi, but here goes:
Hash is 6 characters long, characters are alphanumeric (a-zA-Z0-9). So that makes:
(26 * 2 + 10) ** 6 => 5.6E10
That looks like a big number, but it isn't. Because at the scale of dropbox there will be 10 million links out there in no time. So then the math goes:
( (26 * 2 + 10) ** 6 ) / 10_000_000 => 5680
So you have to make only a few thousand guesses to get a random file from another user. I'd say that's not very secure.
Note that the links redirect to a page with a far longer (and presumably far more secure) hash code. Any time when you see short hash -> longer hash alarm bells should go off.
I'm assuming the share links last forever. If the share links would last only 24 hours then system looks pretty safe.
Anyway, this is only my first impression. I might very well be wrong. Either way I think it's pretty silly to give up so much entropy to get a prettier URL. Why not just use the complete 128bit hash?
I haven't used the feature yet, but from reading the forum thread it sounds like the 6 random characters are only created if someone chooses to shorten their link with db.tt (presumably Dropbox's shortener). By default, resources have 15 random characters. Since URL shortening is mostly for use with twitter, I think the number of non-public files/folders with a corresponding 6-random-character link will not approach 10MM any time soon.
So, if you feel like "I wanna share this folder to the wild world, now!", just do it! You can change your mind at anytime later and the folder will be no longer accessible. Very intensive, careful design & implementation!
I think you're overstating the risks of random URLs. Unlisted cell phone numbers are not considered public even though you give them to all your friends and to every nearby cell tower. Credit cards are not considered public even though you might hand yours to a lot of strangers.
Hash is 6 characters long, characters are alphanumeric (a-zA-Z0-9). So that makes:
That looks like a big number, but it isn't. Because at the scale of dropbox there will be 10 million links out there in no time. So then the math goes: So you have to make only a few thousand guesses to get a random file from another user. I'd say that's not very secure.Note that the links redirect to a page with a far longer (and presumably far more secure) hash code. Any time when you see short hash -> longer hash alarm bells should go off.
I'm assuming the share links last forever. If the share links would last only 24 hours then system looks pretty safe.
Anyway, this is only my first impression. I might very well be wrong. Either way I think it's pretty silly to give up so much entropy to get a prettier URL. Why not just use the complete 128bit hash?