DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11759>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11759 Mention "Options Index" in mod_autoindex doc ------- Additional Comments From [EMAIL PROTECTED] 2002-08-16 15:14 ------- It's often fine to put private files in a web tree for use by people who know the unpublished URL's. Of course that's not as secure as using HTTP Basic authentication to protect the files, but it's more convenient. HTTP Basic Auth is in turn less secure than Basic Auth over SSL, which is in turn less secure than SSL with client certificates, which is in turn less secure than client certificates whose secret keys are embedded in tamper resistant hardware tokens. There's a continuum of security/convenience levels that the site operator can legitimately choose among depending on his/her specific requirements. Unprotected files with unadvertised URL's is a perfectly legitimate point in that continuum, and is one of the easiest to use. Anyway, empirically in the real world, this method is widely used, regardless of whether it's objectively smart or not. And even if that security strategy isn't chosen on purpose, sometimes private files get left laying around in directories by accident. Apache should try to be resilient in the event of such errors, not try to punish its users for being careless. I hope the mod_autoindex docs do get updated to at least describe Options -Indexes. If no recommendation is made there, perhaps the issue could be mentioned in the Security Tips part of the Apache docs. Regards Paul --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
