[3529] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (David M. Chess)
Wed Nov 13 14:58:42 1996
Date: Wed, 13 Nov 96 11:14:49 EST
From: "David M. Chess" <CHESS@watson.ibm.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
> True, but almost all of the risk is eliminated if you provide the
> index.html or what ever your server requires to block enumeration
> of all files in a directory. While the files may still be accessible,
> it would take a real guessing game to find the names.
Or it would take some harvester accessing the directory URL
during the one period when you'd accidentally erased the
index.html, or you were in the middle of updating it in a
way that kept the server from seeing it, or it's the one
directory where you forgot to put an index.html, or you
spelled its name wrong, or used home.html instead because
you'd just been working with another brand of server, or... *8)
Depending on just how secret the stuff in the directory is,
of course, this may be a tiny enough risk not to matter. But
as a matter of policy relying on having an index.html to
block the enumeration, and no one guessing the filenames,
is probably a tad weak! (Maybe I'm just paranoid from having
read RISKS too much this morning...)
DC
