undefined | Better HN

0 pointslogicchains2y ago0 comments

Leaking a monotonic ID could allow outside observers to estimate e.g. number of accounts created or products sold over certain timeframe. Competitors (or traders, for a public company) could use this like a form of inside information on the company (e.g. sell the stock if the rate was falling).

0 comments

2 comments · 2 top-level

gorkish2y ago

This would really only be possible if you leaked a monotonic sequence; the monotonic clock only would potentially leak only event ordering or absolute time.

IMO it's not the job of the identifier itself to prevent information leakage vulnerabilities though; if thee is sensitivity to this, the solution should be explicit, such as employing a secondary key derived from the UUID using a secure KDF or similar.

fanf22y ago

UUIDv7 does not leak the allocation rate of UUIDs.

j / k navigate · click thread line to collapse