[3611] in WWW Security List Archive
Re: .htaccess created by CGI script... -Reply
daemon@ATHENA.MIT.EDU (Harris Demel)
Fri Nov 22 18:31:28 1996
Date: Fri, 22 Nov 1996 14:06:31 -0700
From: Harris Demel <HARRIS@novell.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>> But now you are still sending the password/new IP number as
>> clear-text over the net. If you are using a CGI program to avoid
>> sending passwords as clear text, but you send a clear-text
>> password to the program, doesn't that defeat the purpose?
The CGI program's purpose is not to avoid clear-text over the net. The
purpose is for occassional updates to the .htaccess file. If someone
wanted to sniff those updates, they're going to have to do a LOT of
sniffing due to the infrequency of updates. And that brings up the point
about them having too much time on their hands anyway.
Access to the "secure" area would still require a password, but a
second layer would be the requirement of an IP address match. The idea
here is the more layers, the more secure.
The solution being provided is by no means a solution for outerweb. It is
a cheap solution, not requiring SSL, in which there is a level of trust that
employees will not spend chunks of their days trying to break into this
"secure" location. And BTW, employees who are laid off or fired are
escorted out of the building by security, which I suppose is yet another
layer of security...
- Harris Demel
Novell, Inc. IS&T InnerWeb Webmaster
----
The above comes from me and me alone, and is not necessarily the
opinion of my employer.
