[pdimitar]

Not sure about SSL, but in the past customers of mine have copy-pasted full Heroku PG URLs to me and I was able to get in via `psql` immediately.

So yes they're public but their addresses are basically impossible to guess.

[cbowal]

Known as "Security through Obscurity" [0]

[0] https://en.wikipedia.org/wiki/Security_through_obscurity

[wongarsu]

Debatable. If the address is really unguessable, the address acts like a regular key.

It's still not good practice, since most systems treat addresses with far less care than passwords and often save and/or transmit them unencrypted.

[pdimitar]

Oh, I am not saying it's a good practice at all. I was just answering the question.

I still think it's a low-friction solution. But a secure one -- hardly.

[e12e]

> yes they're public but their addresses are basically impossible to guess.

Ipv6 only then?

[deepsun]

Sometimes people do a conference talk or just share the screen, and it's easy to take picture of that URL.

[pdimitar]

True. I am not saying it's the best idea around, only that it's low friction. I'd probably approach it differently but I can see why they did it like they did.