[3552] in WWW Security List Archive
Re: Alta Vista may or may not harvest unadvertised documents
daemon@ATHENA.MIT.EDU (Steve Neruda)
Fri Nov 15 12:10:29 1996
Date: Fri, 15 Nov 1996 09:03:30 -0500
From: Steve Neruda <steve_neruda@nationwide.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
David M. Chess wrote:
>
> > Regardless of whether the Alta Vista harvester is this aggressive,
> > other harvesters (or individual human users) might be, so the prudent
> > thing is never to put files in a world-readable web tree that you can't
> > afford for the world to see. Other recent RISKS postings include a few
> > horror stories on this theme.
>
This problem is really one of education. Security through obscurity
is a bad thing. Just because you don't globally publish a URL doesn't
mean it's private. There a dozen of ways, including an employee that
didn't realize it was company confidential, that this URL might leak
out to the general unwashed masses.
- From a design standpoint I prefer to turn off automatic directory
since I like to enforce the view I'm trying to present. This in no
way should be confused with security. If you want documents on a
server to be protected limit access by X.509 Cert, password, or even
IP address. I also prefer to have two document tree's (if at all
possible on two separate servers). One is for company private
information and the other for public material.
It's helpful from a social engineering standpoint to make their names
descriptive (ie http://publicinfo.company.com or
http://DemiseOfOurCompanyIfThisLeaksOut.company.com. Another useful
feature (at lease in the apache server) is to be able to automatically
tag on a header and/or footer to all documents. This is a good place
to put a company confidential warning that will show up with all pages
even if they're printed.
Remember is a web crawler can find it then your competition can!
SteveN
Steve Neruda Steve_Neruda@Nationwide.Com
Senior Internet Consultant The Internet Technologies Group
AT&T -- Any company with the Death Star as a logo
can't be all bad
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMos4xd9VrcmyuFZxAQH5DgQAgaeNBI0VHiQok0+N8wK2CvrD0YTxh/zh
uVo7KN0qrnXQ7071WK1flyGOsCyNO504M4Ri5FftH4ijAT/HwWNxH88NddO72kwH
RpyrHbAU8JQw6MOaMZqFjHVBU9YQeSiS6JgyY+HXy9m9r+KXP5euNNdsVvc1y21u
YNIDNWX5Bgc=
=Uvj8
-----END PGP SIGNATURE-----
--
Steve Neruda Steve_Neruda@Nationwide.Com
Senior Internet Consultant The Internet Technologies Group
"They gave me a book of checks. They didn't ask for any deposits."
--Congressman Joe Early
