Subject:
|
Re: Policy clarification regarding catalogs
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Sat, 18 Dec 1999 01:27:57 GMT
|
Viewed:
|
599 times
|
| |
|
|
On Sat, 18 Dec 1999 00:14:56 GMT, "Todd Lehman" <lehman@javanet.com>
wrote:
> A file served from under the URL
>
> http://www.foo.foo/images/blort.jpg
>
> where the /images/ directory is HTTP-password-protected with the username
> and password combo of "images"/"foo" is actually far less "secure" IMHO than
> a "non-secured" file with an obscure _non-linked-to_ URL, for example
>
> http://www.foo.foo/images/z7jd8x9yri8jz2qtc6jzk2m8vz8.jpg
To a cracker, maybe. To the average person? No.
> Security through obscurity may be a weak form of security, but it's still
> security (i.e., the intended limitation of viewing). In fact, any file on
> any webserver that's not linked to from some normally-navigable public page
> on that webserver is a file which I would call "secured" in some way or
> another. (Again, maybe security through obscurity, but if a file isn't
> linked to, then clearly the intention is for it not to be seen.)
Not necessarily. Does http://www.whatever.edu/ contain links to all
the users /~user directories? In 90% of the cases, in my experience,.
not. Same for ISPs.
So 90% of the web is not intended to be seen by your logic.
Security through obscurity is no security at all. Obscurity does not
exist.
Making the UID 0 account "thresh"/password "qwerty" doesn't constitute
security either.
Jasper
|
|
Message is in Reply To:
 | | Re: Policy clarification regarding catalogs
|
| (...) I don't agree. (I see the point, but I don't think it's that simple.) What is security -- fundamentally? A file served from under the URL (URL) the /images/ directory is HTTP-password-protected with the username and password combo of (...) (25 years ago, 18-Dec-99, to lugnet.admin.general)
|
93 Messages in This Thread:
 
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
