[redm]

The problem with these one-time URL's is that most people share them in places where the "one-time" is usually a cloud provider. If you share over IM, the IM service will check the URL to provide preview, or virus scan it. Same for many email providers. By the time you try to open it, it's already been burned.

You can whitelist those parties, but it somewhat defeats the purpose of a secure one-time link.

[lixtra]

The encrypted content should be served (and burned server-side) only to a POST request. No sane service can expect a POST request to be idempotent and therefore shouldn’t fire it (twice).

[bradknowles]

That’s why I password protect any one-time URLs that I ever use, regardless of the provider.

They can’t cause the URL to auto-expire if they don’t have the password.

This password on the one-time URL is something that I share via less secure methods and is easily guessable. It’s only purpose is to prevent the one-time URL from being auto-expired by malware checkers or preview creators.

[slavomirvojacek]

We're considering adding additional password protection as a new feature (see https://github.com/sniptt-official/ots/issues/2) - this password can then be shared via other channels with the recipient.

[slavomirvojacek]

Hi, we will be using https://aws.amazon.com/waf/features/bot-control/ which should help somewhat, but I think we will have to spend a bit more time trying to establish a more robust solution.