[nostoc]

First time hearing about ULIDs. The locality is interesting, but they leak information about when they were generated down to the millisecond, which could lead to problems if combined with other issues. I'd be wary of using them client-side.

[33degrees]

Yeah, I find they’re best used for data where the creation time is public information, like chat messages or logs

[eins1234]

Can someone expand on the practical consequences with leaking when things were created to the millisecond?

[JoelEinbinder]

Consider a timing attack: https://en.wikipedia.org/wiki/Timing_attack

Let's say a UUID comes back with an error message. This could be used to figure out how long it took to generate the error. That could tell you if a particular resource is cached, even if you don't have access to that resource.

Timing attacks are usually pretty creative. It's hard to predict how extra timing information could be misused.

[sudhirj]

You might want to expose joining dates for example, or exactly when something happened. That kind of info can leak unintentionally if someone looks at the ID and you didn’t want it exposed.