[3586] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (hallam@vesuvius.ai.mit.edu)
Tue Nov 19 17:02:53 1996
From: hallam@vesuvius.ai.mit.edu
To: Harris Demel <HARRIS@novell.com>, www-security@ns2.rutgers.edu
Cc: hallam@vesuvius.ai.mit.edu
In-Reply-To: Your message of "Mon, 18 Nov 96 16:35:41 MST."
<s29090a1.057@novell.com>
Date: Tue, 19 Nov 96 13:50:50 -0500
Errors-To: owner-www-security@ns2.rutgers.edu
I would not rely so heavily on .htaccess. It was thrown together in
a great hurry and was never intended as a long term solution (like much
of the Web). A much better solution would be to have some principled
piece of code integrated into the server itself via NSAPI or ISAPI.
If the dynamic load libraries had been as good in 1992 as they are
now CGI might never have been necessary. From the security point of view
CGI is very bad news indeed but at the time it was the only solution
available.
I would run two servers, One to serve the pages, the other to administer
the CGI or plug in. I would run the administrative server on a non
standard port and make sure that the firewall or router blocked it.
I would never depend on a router or firewall blocking port 80 for a
protracted length of time.
The problem with security is not the initial config, its the state the
config is left in five years down the line.
Phill.
