[gizmo]

I'd have to go with yes. Hate to be an entropy nazi, but here goes:

Hash is 6 characters long, characters are alphanumeric (a-zA-Z0-9). So that makes:

    (26 * 2 + 10) ** 6 => 5.6E10

That looks like a big number, but it isn't. Because at the scale of dropbox there will be 10 million links out there in no time. So then the math goes:

    ( (26 * 2 + 10) ** 6 ) / 10_000_000 => 5680

So you have to make only a few thousand guesses to get a random file from another user. I'd say that's not very secure.

Note that the links redirect to a page with a far longer (and presumably far more secure) hash code. Any time when you see short hash -> longer hash alarm bells should go off.

I'm assuming the share links last forever. If the share links would last only 24 hours then system looks pretty safe.

Anyway, this is only my first impression. I might very well be wrong. Either way I think it's pretty silly to give up so much entropy to get a prettier URL. Why not just use the complete 128bit hash?

[brlewis]

I haven't used the feature yet, but from reading the forum thread it sounds like the 6 random characters are only created if someone chooses to shorten their link with db.tt (presumably Dropbox's shortener). By default, resources have 15 random characters. Since URL shortening is mostly for use with twitter, I think the number of non-public files/folders with a corresponding 6-random-character link will not approach 10MM any time soon.

[blaix]

Actually, I got the impression that no public link was available at all unless you chose to create it.