[3531] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Nov 13 16:56:20 1996
To: "David M. Chess" <CHESS@watson.ibm.com>
cc: www-security@ns2.rutgers.edu
Date: Wed, 13 Nov 1996 13:32:31 -0500
From: Steven Bellovin <smb@research.att.com>
Errors-To: owner-www-security@ns2.rutgers.edu
> True, but almost all of the risk is eliminated if you provide the
> index.html or what ever your server requires to block enumeration
> of all files in a directory. While the files may still be accessibl
e,
> it would take a real guessing game to find the names.
Or it would take some harvester accessing the directory URL
during the one period when you'd accidentally erased the
index.html, or you were in the middle of updating it in a
way that kept the server from seeing it, or it's the one
directory where you forgot to put an index.html, or you
spelled its name wrong, or used home.html instead because
you'd just been working with another brand of server, or... *8)
Depending on just how secret the stuff in the directory is,
of course, this may be a tiny enough risk not to matter. But
as a matter of policy relying on having an index.html to
block the enumeration, and no one guessing the filenames,
is probably a tad weak! (Maybe I'm just paranoid from having
read RISKS too much this morning...)
No, you're not paranoid, you're properly cautious.
Blatant assertion: servers should refuse to deal with directories without
explicit index.html files. If it's not there, the directory won't be
served. I'd like a further check to guard against folks asking for
directory/.htpasswd and the like -- none of their business. It's easy
to assert that the server shouldn't pass back . files, and maybe some
are like that already. But the bottom line is that files should be
retrievable if and only if someone has taken positive action to make them
so.
