> On Thu, 6 Apr 1995, Andrew Wilson wrote:
> > COMMA used to have ~user URLs when we first set the server up in 93,
> > but Robert Evans deemed that any program that gave away real usernames
> > to the ouside world was intrinsically a bad thing - too easy for
> > crackers to get into poorly passworded accounts etc, etc.
>
> So I guess you guys never use email? Any system that gave away
> *arbitrary* information about accounts could be considered a negative
> thing - like finger @site for example - but /~user/ URL's aren't indexed
> anywhere, so someone pretty much has to know about it first before being
> able to access it (unless the site creates their own menus of /~user/s.)
We use e-mail. My COMMA drop is Andrew.Wilson@cm.cf.ac.uk heheheheh...
Lots of people have /~user/ URLs as their home pages, given away in .sigs
and you see them all over the place. I know it wouldn't be a good idea to
remove the ~user code from Apache, 'cuz that'd stop apache being a plug-in
replacement for NCSA, but a note to the effect that if you were really
hard-core about security you shouldn't incourage the use of ~user URLs. But
anyway, I'm not saying it's like a religious issue or anything.
> Brian "Bogosity Vanquishor" B.
Yeah, death to obfuscators, etc. ;)
Ay.
Andrew Wilson URL: http://www.cm.cf.ac.uk/User/Andrew.Wilson/
Elsevier Science, Oxford Office: +44 01865 843155 Mobile: +44 0589 616144
|