[3542] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (David W. Morris)
Thu Nov 14 16:53:42 1996
Date: Thu, 14 Nov 1996 10:47:28 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: Steven Bellovin <smb@research.att.com>
cc: "David M. Chess" <CHESS@watson.ibm.com>, www-security@ns2.rutgers.edu
In-Reply-To: <199611131832.NAA26817@raptor.research.att.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 13 Nov 1996, Steven Bellovin wrote:
> > True, but almost all of the risk is eliminated if you provide the
> > index.html or what ever your server requires to block enumeration
> > of all files in a directory. While the files may still be accessibl
> e,
> > it would take a real guessing game to find the names.
>
> Or it would take some harvester accessing the directory URL
>[...]
> Depending on just how secret the stuff in the directory is,
> of course, this may be a tiny enough risk not to matter. But
> as a matter of policy relying on having an index.html to
> block the enumeration, and no one guessing the filenames,
> is probably a tad weak! (Maybe I'm just paranoid from having
> read RISKS too much this morning...)
>
> No, you're not paranoid, you're properly cautious.
Which is what risk management is all about.
> Blatant assertion: servers should refuse to deal with directories without
> explicit index.html files. If it's not there, the directory won't be
Blantant counter assertion: It is too often useful to intentionally
have the server map directories. But this is a configuration option
supported by some/all of the servers I've installed over time so it
is a choice.
> served. I'd like a further check to guard against folks asking for
> directory/.htpasswd and the like -- none of their business. It's easy
> to assert that the server shouldn't pass back . files, and maybe some
> are like that already. But the bottom line is that files should be
> retrievable if and only if someone has taken positive action to make them
> so.
I think the positive action is to place the files in the HTTP server's
tree structure. I agree that the dot (.) files should probably require
positive authorization at the server level (policy) and also
individually but for normal files putting them in the server's view
with appropriate permissions should be sufficient.
