Most people think of the Interenet as a place you publish material that you want the world to see. However, it also has the advantage of easy access for widely distributed staff to look at material that is confidential - for instance sales or systems monitoring reports . The question is how do you exploit the easy access but keep your data confidential. The following method is simple and does not require any special server-side softeware. But how secure is it really? Has anyone else tried to do this and are there any flaws in my suggestion? Are there any other measures I could take to make the pages more secure?

To make a page secure on a public web site you need to do the following:

1) Create several levels of directories you have to drill down to the target file. Say four levels of directory with each directory name consisting of eight characters.

2) Use obscure, meaningless names for the directories containing a mixture both upper- and lower-case letters and numbers

3) Place a redirect on the index.htm page so that it takes you to a totally different site if you enter the bare domain name.

4) Copy the index.htm page into each level of directory.

5) Insert a metatag on every page that will stop the site being registered by web-crawlers.

Examples:

1) Example of a path name to a secure reports page: http://domain.co.uk/ab90GHwi/M098fgH7/9hgT234n/NF456poK/reports.htm

2) Example of html code containing a redirect and noindex metatag:

--------------------------------------
<html>
<head>
<meta http-equiv="refresh" content="1; url=http://www.yahoo.com">
<meta name="robots" content="noindex">
</head>
<a href="http://www.yahoo.com"></a>
</html>
---------------------------------------

This provides the following security:

1) To display the file you will have to send the link to someone. It is too difficult to type in manually.

2) This method is safe from browsers who hit the domain name http://domain.co.uk/. They will be redirected to some inoccuous site like http://www.yahho.com. Of course you could have a legitimate site linked from the the index.htm and still have this set of nested directories leading to your secure material behind it.

3) If someone hits an intermediate directory by chance they will be redirected away to another site - or your legitimate index.htm - just as when they hit the domain name itself.

4) None of the pages can be picked up by a webcrawler drilling down as the "noindex" metatag prevents registration.

5) Programs that drill down and copy whole web sites depend on following links. As there is no link on the home page these programs cannot find the secure pages.

Rob Wheeler
London, UK

------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Is there another word for synonym?"

I do believe I'd rather use something like a password protected directory.

I am interested in LBs suggestion of a password protected directory. How is this achieved.

Rob Wheeler
herringbone@lineone.net

It takes about a minute to set up a password protected directory and the same effect is acheived.

You can do this in FP using a subweb - see here: http://www.outfront.net/frontpagesubwebs.htm
On a unix server you can use .htaccess which in the case of my host anyway can be set up in seconds from the site control panel and on an NT server you can use something like the Spooky log-in. There are also a plethora of cgi and other scripts available, many free, which will handle a log in system easily on a unix server.

------------------
Katherine

InKK Design
LinKKs - Kilkenny's Online Magazine

-*-*-*-*-*-*-*-*-*-*
"Dogs have owners, cats have staff!"

[This message has been edited by abbeyvet (edited 06-26-2001).]

quote:

---

Originally posted by Herringbone:
[B]What do ROTFLMAO and FOCL mean? I suspect thaye are terms of vigorous contempt? Not such a good idea eh? So please tell me how this scheme can be hacked? Are you willing to take on a challenge? If I set up a site with a poem located on it somewhere and offered a prize of £50 if you could find it - are you confident enough to take me on? Could you hack in and get it?

---

Rob, your approach is not a security approach, it's a... work around. It's not "security," it's just awkward.

So to answer your questions:

1. How secure is it really? Not secure at all.
2. Has anyone else tried to do this and are there any flaws in my suggestion? Nobody would attempt to install security in this way; it's riddled with flaws.
3. You need a login system, end of story.

If you're on an NT system, use the Spooky Login, which you can buy here by clicking that thing in the upper left corner.

If you're on a UNIX system, use .htaccess as Katherine suggested.

If you're planning to create an extranet for access to an extensive set of documents, and you'd like them organised in a secure and accessible way, email me at sabrina.dent@appercept.co.uk and we can discuss other options.

--Bri

------------------
"Bother," said Pooh, as Piglet was assimilated by the Borg.
-------------------
Work, work, work: http://www.appercept.co.uk
Out of office hours: http://www.darlingbri.co.uk

I understand what you are trying to do. I think you received the above responses because of the tone of your post.

quote:

---

HOW TO STOP PEOPLE READING YOUR WEB PAGES!

---

Also:

quote:

---

To make a page secure on a public web site you need to do the following:

---

There are many visitors to this site that have little to no experience with security. They could be misled into thinking their credit card numbers, social security, birthdays or whatever was actually secure.

Your proposal is not "secure" but "obscure"... out of sight or hidden. The *only* thing keeping people out, is they don't know it is there. It is the proverbial "needle in a haystack".

I live in Chicago. My car was broken in 3 times a month ago. It was unlocked all three times. This is analogous to your plan:

You would have me move my car 4 blocks to the East, 3 blocks North and hide it in this undeveloped patch of trees where nobody (hopefully) will see it. I would still leave it *unlocked*. And, in a way, you are correct- It is safe until someone sees me attending the car or they stumble across it *OR* until someone who knows me tells someone who tells someone and pretty soon the wrong person knows. I think it is axiomatic that someone *will* find out. Not to mention the *huge* inconvenience I would have of maintaining my car.

Now, back to my house. If I were smart enough to lock my car doors in the first place, it *MAY* never have been broke in. Locking the doors would be the same as implementing a password protection system...

I hope I have helped. Also, you may want to check out this site:

http://www.happyhacker.org/uberhacker/index.shtml

You can read a little of what some people are capable of doing. Many would blow through the "obscure" web site like the bad wolf through a straw house.

Joe

For the record *definitely* no contempt on my part.

The abbreviations:

FOCL = "Fell (or Falling) Off Chair Laughing."

ROTFLMAO - "Rolling on the Floor Laughing My Ass Off"

Your scheme showed a lot of thought and was quite an ingenious workaround. But the posts from Abbeyvet, DarlingBri, and JBennet are all spot on.

It wouldn't be secure and it would be a total nightmare to implement an a large site. The spooky login, .htaccess, and subwebs are all much more viable and infintely easier to do in the long run.

------------------
Hope this helps :-)
Gorilla
aka Mark Saunders
http://www.computerdriving.com

Email Address: marksaunders@techie.com

=======
"Gotcha!" Cackled Pooh as he assimilated the Borg.

I didn't take offence (altho ROTFLMAO does sound a *little* derisory!).

I think I'd better explain what I am trying to do as I don't think I made it quite clear.

We have a site to which we automatically FTP a series of systems monitoring reports several times a day. There are about 8 reports at the moment, written in HTML and accessed via a home page. They are refreshed with the new version overwriting the old and they never increase in length. It is a very simple site and requires no maintenance. The reports were prototyped using FP but the site has not been published as FP because it is so simple.

Up to now we have only used it for viewing systems reports - disk sizes, success of backups, problems on the network etc. Systems support people really like it as it is so convenient to access reports from anywhere. All we have to do is mail them the link and they keep it on thir desktop on in their favourites. The problem is that now my manager thinks the idea is so good he wants to put sales reports and other more sensitive stuff on the web for directors to access. I feel jittery about this which was I floated it to you folk knowing I'd get some good critical feedback - and I did get some.

However, I am still not convinced it is such a bad idea. Folk have only *asserted* that it is unsound but no *explanations* have been given.

jbennett's analogy with hiding your car down a series of side streets is not applicable here. The point is that you can walk down the streets and find the car. Under my scheme there appears to be no way that you can drill down to the content of the site (but I am willing to be proved wrong). I have placed a poem on the following site - can anyone break in and tell me what it is?

http://www.geocities.com/kermits_lillypad

If you enter this address into your browser it will redirect you to Yahoo. Unless you know a long string of characters and the name of the target file then you cannot access it. Is this not equivalent to a password?

The only way I can imagine you could get to this file would be to use a utility that would drill down past the index.htm file regardless of there being no links on any pages on the site. If this could be done then all web sites would be vulnerable.

Who will take on my challenge and find the poem!?

Rob Wheeler
London, UK

Perhaps that persons son or daughter might be using the computer and come accross the link and say "Hey! Cool!! A secret page!" and email the link to a friend. The friend says "Hey Dad, look at this. Why do your company not do this?"

Dad, who happens to work for one of your competitors takes a look.

Maybe not likely but not terribly unlikely either, especially given the scenario you suggest where the link remains always the same and the docs are simply overwritten.

How much easier to have a secure area, where you could have a full homepage tyoe set up for those with authorised access and various levels of access according to who they are.

------------------
Katherine

InKK Design
LinKKs - Kilkenny's Online Magazine

-*-*-*-*-*-*-*-*-*-*
"Dogs have owners, cats have staff!"

------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Is there another word for synonym?"

Has anyone managed to read my site yet?

Rob Wheeler
London, UK

You have 6 people telling you this method not secure, and we have no vested interest in how you run your website.

Perhaps you should consider that we're not just sitting on a fence whistling Dixie.

The point of a properly built extranet system (which is what you want) is that you can *remove* indivudual user permissions.

Salesperson Jones is FIRED from your organisation and goes to work for a competitor.

Now, under your system, you have to move all your documents and redistribute their locations - for a growing number of documents, to a growing number of users.

Or, under a proper system, you click "delete user" and salesperson Jones is no more.

It's really up to you.

--Bri

------------------
"Bother," said Pooh, as Piglet was assimilated by the Borg.
-------------------
Work, work, work: http://www.appercept.co.uk
Out of office hours: http://www.darlingbri.co.uk

On the other hand, if you feel it is even remotely likely someone would want to get to this information and their doing so would be have negative consequences for your company, simply hiding the urls would be insufficient.

1) Depending on your server/server settings it is possible to browse the directory structure of your website in a browser. Someone who opened up this index could simply open up the directories you have opened and find the documents.

2) Email is insecure. Any email communication sent unencrypted can be read by someone monitoring your ip address. If you sent an insecure email with the url included someone could intercept it.

3) http communication is insecure. Anyone monitoring your ip address could see what websites you have visited. In fact, that information is visible to websites you visit after you leave your website and obtain the url's for the files you are trying to hide. Programs called "packet sniffers" are fairly common. They can intercept information sent between server and client.

From what you are saying, it seems like you really need some form of server side protection. If your company is hosting its own website, you can set the permissions on your server yourself and create a user name and password that will allow yourself access to the system. If you are paying for someone else to host your site, check with your host about security options or use the methods discussed above.

[This message has been edited by puiwaihin (edited 06-29-2001).]

My main interest with this exercise was to see if we could post secure documents without needing to invoke anything on the server side but from the comments I have been getting here it does not look as if that is possible.

The thought we have been entertaining recently is to put up our documents in encrypted form. We have already developed an encryption program in perl and VB for use with FTP. We could FTP the files to the site with this but we will need to develop a browser under VB that could decrypt on the fly. Our VB programmer is already investigating this but he reckons that with the existing encrtption program he has written and the IE control under VB it will be fairly easy. We could use the scheme that I have already outlined and in addition issue the key users with this special browser.

A scheme like this will make us completely independent of the web host.

By the way I was interested in what puiwaihin said...

>1) Depending on your server/server settings >it is possible to browse the directory >structure of your website in a browser. >Someone who opened up this index could >simply open up the directories you have >opened and find the documents.

How is this possible if you have an index.htm file in the root directory? My index.htm redirects you. How is it possible to get behind it?

ROB

quote:

---

Originally posted by herringbone1:
Thanks for everyone's comments. We are currently using someone else's site and they do not run CGI scripts but I will take up the point about investigating how we can set up logins. However, we are extremely cheap and we want to do this at minimal cost!!

---

quote:

---

My main interest with this exercise was to see if we could post secure documents without needing to invoke anything on the server side but from the comments I have been getting here it does not look as if that is possible.

---

quote:

---

The thought we have been entertaining recently is to put up our documents in encrypted form. We have already developed an encryption program in perl and VB for use with FTP. We could FTP the files to the site with this but we will need to develop a browser under VB that could decrypt on the fly. Our VB programmer is already investigating this but he reckons that with the existing encrtption program he has written and the IE control under VB it will be fairly easy. We could use the scheme that I have already outlined and in addition issue the key users with this special browser.

---

quote:

---

By the way I was interested in what puiwaihin said...

>1) Depending on your server/server settings >it is possible to browse the directory >structure of your website in a browser. >Someone who opened up this index could >simply open up the directories you have >opened and find the documents.

How is this possible if you have an index.htm file in the root directory? My index.htm redirects you. How is it possible to get behind it?

---

A good hacker will get through a $50K firewall, three "sandbox" servers and break a passwd file in less time than it takes to write the redirect tag

------------------
Gil Harvey
The Host Factory
Resellers are our speciality
"Daddy, why doesn't this magnet pick up this floppy disk?"

How cheap can a company *possibly* be???

But I've got to echo Bri's question. Both I (and clients) have been badly burnt in the past by not protecting data, failing to install firewalls, leaving ports wide open and shrieking their presence to every script kiddy in the world with an ip scanner.

Cheap yes absolutely - that's me - the original el cheapo , but there's such a thing as pennywise and pound foolish - and I've been there, done that, bought the tee-shirt and discovered that the said tee shirt was actually the shirt of Nessus.

I've also re-invented the wheel on occasion, which at the very least represented an opportunity cost (I could have been doing something useful.)

------------------
Hope this helps :-)
Gorilla
aka Mark Saunders
http://www.computerdriving.com

Email Address: marksaunders@techie.com

=======
"Gotcha!" Cackled Pooh as he assimilated the Borg.

quote:

---

How is this possible if you have an index.htm file in the root directory? My index.htm redirects you. How is it possible to get behind it?

---

I was not going to post on this thread since I have said my piece, but I broke down. The redirect is not meant for security. It only works if the user does not care (most everyone) or is clueless.

Since the only thing on your page is:
<html>
<head>
<meta http-equiv="refresh" content="0; url=http://www.yahoo.com">
<meta name="robots" content="noindex,nofollow">
</head>
<p>Welcome to Yahoo...</p>
</html>

There is really no way to show you. Although, I doubt proof would persuade you anyhow.

Joe

You obviously are incapable of distinguishing between irrational scepticism and genuine enquiry. I am not questioning what you say out of bloody-mindedness I just want to understand the issues here. Your bland assurances from the hights of great authority and experience cut no ice with me I am afraid. I would just like to know *how* one can list a directory while an INDEX.HTM in place which contains no links. (The redirect in this case is irrelevant as the effect would be the same even if you had a blank HTML page.) You do not seem to be able to say *how* it can be done. Maybe you do not know - which is fine - just say so. You may have come across examples where people have done it but you do not know - that's fine. But there is no need to get insulting when someond questions your great knowledge and wisdom

I thought your remark...

>>There is really no way to show you. Although, I doubt proof would persuade you anyhow

...was alittle peevish if you don't mind me saying.

If you know - tell me - if you don't - then cut out the dogmatism!

-------------------

Dear DarlingBri

You have persuaded me about .htaccess - free and does not require cgi - I shall definely pursue it as an option.

I assume you invoke the login from a piece of JAVA script and that the result is that the user logs into UNIX as a regular user (and their access to directories is controlled by UNIX and not Apache).

Do you know where I can read about it?

----------------------

Rob Wheeler

quote:

---

You do not seem to be able to say *how* it can be done. Maybe you do not know - which is fine - just say so.

---

To post such information here would be to give a road map to would be hackers. Not only a bad idea but possibly illegal and certainly not what this forum is about. There is just no way that anyone will post anything like that in an Outfront forum - if they did it would be immediately deleted by one of the mods.

There are several people here whose job it is to keep servers secure - by definition they are aware of all the scams, tricks and ruses people use to access unauthorised documents but they are not about to spread the word around about how it can be done.

quote:

---

I assume you invoke the login from a piece of JAVA script and that the result is that the user logs into UNIX as a regular user (and their access to directories is controlled by UNIX and not Apache)

---

Or you could simply password protect the directories with a .htaccess file, no need for unnecessary complications. There is a tutorial here: http://www.cuddymania.com/tutorials/htaccess/

People here have genuinely tried to help you and steer you in the right direction. People who know a great deal about this subjuct, which you admit you do not. However their genuine effort have been repeatedly met with scepticism based on nothing much. It is little wonder that, like jbennet, they get a little fed up and it comes out in their posts.

I think that might be an end to it now. We have all tried to help - the info you need is available to you several times over in the above posts. Good luck with it.

------------------
Katherine

InKK Design
LinKKs - Kilkenny's Online Magazine

-*-*-*-*-*-*-*-*-*-*
"Dogs have owners, cats have staff!"

[This message has been edited by abbeyvet (edited 07-01-2001).]

Thank you for all the info you and others have given. I do not wish to appear ungrateful as the leads I have been given are very useful and I will follow them up. I was just questioning peoples reasons - not disbelieving.

The link you gave "http://www.cuddymania.com/tutorials/htaccess/" appears to be dead - but I will try it again later. Ut might only be temporary.

If - as you imply - it is so easy to break into a web site - and I am not contradicting you - then I would have thought that publicising it would be one way of starting to fix the holes.

As for using Unix logins... I wonder how secure that method is if it is possible to get behind an index.htm file to the underlying directory. How secure is any so called security? Encrypted files might be the only really secure metod for me.

Sorry to have ruffled some feathers by querying the experts!! I will approach in a more humble and supplecatory manner in future. (Just joking - I really am grateful for the help).

Rob Wheeler

------------------
I am a survivor.
I'm going to make it.
Not going to give up.
I'm a survivor.
Going to work harder.

Something-Fishy