Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: How secure is .htaccess?

  • Subject: Re: How secure is .htaccess?
  • From: Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx>
  • Date: Sat, 25 Feb 2006 10:43:31 +0000
  • Newsgroups: alt.hacker
  • Organization: schestowitz.com / MCC / Manchester University
  • References: <8Jydnb0OHP-3up3ZRVn-jg@buckeye-express.com>
  • Reply-to: newsgroups@xxxxxxxxxxxxxxx
  • User-agent: KNode/0.7.2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

__/ [ Rainman ] on Saturday 25 February 2006 09:45 \__


With a limited level of confidence:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: OSHA1
> 
> Does anybody know just how secure is a web directory with digest
> password protection placed in the .htaccess file on an Apache2 Windows
> server?


If it's a Windows server, it is already less than secure. Such boxes are easy
to hijack, so local password data can be stolen or leaked. Encrypting the
filesystem is another matter and I don't think that Vista's predecessors
support it.


> Related questions:
> 1. Where does the browser normally store this digest information? The
> browser's cache? A cookie?


Browsers like Mozilla store passwords in obfuscated form, not in the cache.
Emptying the cache is separate from from flushing of user passwords.

A cookie should not contain any password. When cookies are used, the data is
stored on the Web server. In Firefox, the user can erase selected saved
passwords from a list.


> 2. Can such a server be configured to require a password again after a
> certain time period without the user clearing the browser cache or
> exiting the browser manually?


You need to intervene with the browser in order the achieve this. The best
you can do is change the password periodically and inform the users. For
example, you could append the hour of the day to your passwords and ask
users to follow this 'rule'.


> 3. Are the passwords sent securely?


Good question. I wondered about that too. I suspect they are not negotiated
with SSL involved, unless one serves page via HTTPS.


> 4. Does anybody have a specific recommendation for configuring access
> privileges to a web directory that would be preferable?


700 should be fine. I am assuming you don't mean "Web directory" /a la/ DMOZ.


> These are some of the questions I've been dealing with lately. I have a
> (reasonably) secure area of my website that I use to upload/download my
> homework while working in my university's labs on campus, but I've been
> wrestling with how to deal with specific issues with this setup to
> prevent other students from accessing my work, especially under certain
> limitations that are enforced on campus. Specifically, I have seen some
> setups where the user is unable to close the web browser or clear the
> browser cache, and while the lab computers are not set up this way on
> campus, it is possible that such a setup will be enforced in the future.


When finished with the browser, flush history, cookies, passwords, cache. You
will then be on the 'safe side'. By the way, the University should allow
people to log into their private account.

Yesterday I warned a friend and colleague of mine not to edit sites in the
public library. The sites could get defaced by curious users.


> Any ideas to improve the directory's security?


Don't use public terminals unless you know what you are doing.

Best wishes,

Roy

- -- 
Roy S. Schestowitz      | Bottom-post: as English goes from top to bottom
http://Schestowitz.com  |    SuSE Linux     |     PGP-Key: 0x74572E8E
 10:30am  up 7 days 22:49,  10 users,  load average: 0.52, 0.93, 0.94
      http://iuron.com - help build a non-profit search engine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQFEADTaU4xAY3RXLo4RAm/GAKCJyda3czmeZDJq3Toc3dVXzl1rSQCeLLmi
qozBOQpB5Un9LaUi1q6xBbs=
=OgO2
-----END PGP SIGNATURE-----

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index