Saturday, February 5, 2011

Unlinked web pages on a server - security hole?

On my website, I have several html files I do not link off the main portal page. Without other people linking to them, is it possible for Jimmy Evil Hacker to find them?

  • Yes, it is.

  • Your talking about security through obscurity (google it) and it's never a good idea to rely on it.

    From flukus
  • If anyone accesses the pages with advanced options turned on on their Google toolbar, then the address will be sent to Google. This is the only reason I have can figure out why some pages I have are on Google.

    So, the answer is yes. Ensure you have a robots.txt or even .htaccess or something.

    Paul Nathan : ugh monkeybums. OK.
    Darryl Hein : Well it would be useful if you are in their position if you want to know about every page on the Internet. (Plus it's in the disclaimer.)
    Frank Schmitt : The problem with a robots.txt is that someone looking for holes in your obscurity-security system will likely check there first.
    Darryl Hein : @Frank Schmitt: this is very true. So the best is to put some other kind of blockage on it, such as password.
  • It's unlikely they will be found, but still a possibility.

    The term "security through obscurity" comes to mind

    From PlacidBox
  • Hidden pages are REALLY hard to find.

    First, be absolutely sure that your web server does not return any default index pages ever. Use the following everywhere in your configuration and .htaccess files. There's probably something similar for IIS.

    Options -Indexes
    

    Second, make sure the file name isn't a dictionary word -- the odds of guessing a non-dictionary word fall to astronomically small. Non-zero, there's a theoretical possibility that someone, somewhere might patiently guess every possible file name until they find yours. [I hate these theoretical attacks. Yes, they exist. No, they'll never happen in your lifetime, unless you've given someone a reason to search for your hidden content.]

    From S.Lott

0 comments:

Post a Comment