On Fri, 30 Nov 2001, Meritt James wrote: > A couple of basic steps: > > 1. Don't put it on the system - ESPECIALLY in the ROOTDIR tree. > 2. Make !@#$#$@# sure your spiders.txt is right.
Hmm, don't you mean 'robots.txt'? Do you also know that real nasty spiders don't care about robots.txt? DO NOT EVER RELY ON THAT FILE FOR SECURITY!!! So, that said, what do you mean with the first point? Not putting a .htaccess on the filesystem? To answer the original question: yes, if the username/password authentication is done through SSL, you are relatively safe. Be sure to at least follow the following steps: - Make sure that the site is NOT available through SSL - Make sure that .htaccess files are non-retrievable (but still readable by the webserver though) - Make sure that the files for usernames+passwords are located outside the webroot - Try to sniff yourself (with tcpdump for example) to be 100% sure Remember that the user is the weakest link here: you can do 128 bits encryption, but if the user allows his browser to cache usernames+passwords, your entire security-schema can be moved to /dev/null Regards, Johannes > V/R > > Jim > > "Evan D. Hoffman" wrote: > > > > Recently there has been mention in the news about Google et al indexing > > "sensitive" data. I was wondering what everyone thinks is the best way of > > protecting such information. Currently I administer a site that uses the > > Apache .htaccess file for authentication. All of the tools are HTTP based. > > Since I started here I have moved all of the administration tools and other > > sensitive information to https, but the authentication is still with Apache. > > > > I am still relatively new to the intracacies of Apache and SSL. Is > > .htaccess authentication over SSL (128 bit) an "acceptable" authentication > > scheme? I assume the SSL connection is established before the > > login/password are sent so they should be "safe". > > > > TIA > > -- /===================================\ /====================================\ | Johannes Verelst | Email: [EMAIL PROTECTED] | | Web: http://www.verelst.net | IRC: nl.eu.slashnet.org / Gullie | +===================================/ \====================================+ |"Programming today is a race between software engineers striving to build | |bigger and better idiot-proof programs, and the Universe trying to produce| |bigger and better idiots. So far, the Universe is winning." | \==========================================================================/
